1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
4 <TITLE> Introduction to FreeS/WAN</TITLE>
5 <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
7 BODY { font-family: serif; font-size: 11.0pt }
8 H1 { font-family: sans-serif; font-size: 20.0pt }
9 H2 { font-family: sans-serif; font-size: 17.0pt }
10 H3 { font-family: sans-serif; font-size: 14.0pt }
11 H4 { font-family: sans-serif; font-size: 11.0pt }
12 H5 { font-family: sans-serif; font-size: 9.0pt }
13 H6 { font-family: sans-serif; font-size: 8.0pt }
14 SUB { font-size: 8.0pt }
15 SUP { font-size: 8.0pt }
16 PRE { font-size: 9.0pt }
20 <CENTER><A HREF="#CONTENTS"><H1> Introduction to FreeS/WAN</H1></A><BR>
23 <H1 ALIGN="CENTER"><A NAME="CONTENTS">Table of Contents</A></H1>
25 <BR><B><A HREF="#intro">Introduction</A></B>
27 <LI><A HREF="#ipsec.intro">IPSEC, Security for the Internet Protocol</A></LI>
29 <LI><A HREF="#intro.interop">Interoperating with other IPSEC
30 implementations</A></LI>
31 <LI><A HREF="#applications">Applications of IPSEC</A></LI>
32 <LI><A HREF="#types">The need to authenticate gateways</A></LI>
34 <LI><A HREF="#project">The FreeS/WAN project</A></LI>
36 <LI><A HREF="#goals">Project goals</A></LI>
37 <LI><A HREF="#staff">Project team</A></LI>
38 <LI><A HREF="#webdocs">Information on the web</A></LI>
39 <LI><A HREF="#sites">Distribution sites</A></LI>
40 <LI><A HREF="#archives">Archives of the project mailing list</A></LI>
42 <LI><A HREF="#products">Products containing FreeS/WAN</A></LI>
44 <LI><A HREF="#distwith">Full Linux distributions</A></LI>
45 <LI><A HREF="#fw_dist">Firewall distributions</A></LI>
46 <LI><A HREF="#turnkey">Firewall and VPN products</A></LI>
48 <LI><A HREF="#docs">Documentation</A></LI>
50 <LI><A HREF="#docformats">This HowTo, in multiple formats</A></LI>
51 <LI><A HREF="#text">Other documents in the distribution</A></LI>
52 <LI><A HREF="#howto">User-written HowTo information</A></LI>
53 <LI><A HREF="#applied">Papers on FreeS/WAN</A></LI>
54 <LI><A HREF="#test">Test results</A></LI>
56 <LI><A HREF="#licensing">License and copyright information</A></LI>
57 <LI><A HREF="#1_6">Links to other sections</A></LI>
59 <B><A HREF="#install">Installing FreeS/WAN</A></B>
61 <LI><A HREF="#who.install">Who needs to perform an installation?</A></LI>
62 <LI><A HREF="#re-install">Re-installs</A></LI>
63 <LI><A HREF="#before">Before starting the install</A></LI>
65 <LI><A HREF="#choosek">Choosing a kernel</A></LI>
66 <LI><A HREF="#getkernel">Things you must have installed</A></LI>
67 <LI><A HREF="#2_3_3">Getting FreeS/WAN</A></LI>
68 <LI><A HREF="#kconfig">Kernel configuration</A></LI>
69 <LI><A HREF="#inst-test">Install and test a kernel before adding
72 <LI><A HREF="#building">Building and installing the software</A></LI>
74 <LI><A HREF="#allbut">Everything but kernel installation</A></LI>
75 <LI><A HREF="#newk">Installing the new kernel</A></LI>
76 <LI><A HREF="#2_4_3">Make sure Lilo knows about the new kernel</A></LI>
78 <LI><A HREF="#testinstall">Testing to see if install succeeded</A></LI>
79 <LI><A HREF="#2_6">Where to go from here</A></LI>
81 <B><A HREF="#setup">Configuration</A></B>
83 <LI><A HREF="#example">Our example networks</A></LI>
84 <LI><A HREF="#testnet">Configuration for a testbed network</A></LI>
85 <LI><A HREF="#setupnet">Set up and test networking</A></LI>
87 <LI><A HREF="#forward">Enabling packet forwarding</A></LI>
88 <LI><A HREF="#othersoft">Other software</A></LI>
90 <LI><A HREF="#rtfm">RTFM (please Read The Fine Manuals)</A></LI>
91 <LI><A HREF="#usersakey">Setting up RSA authentication keys</A></LI>
93 <LI><A HREF="#genrsakey">Generating an RSA key pair</A></LI>
94 <LI><A HREF="#keyexchange">Exchanging authentication keys</A></LI>
95 <LI><A HREF="#useRSA">Using RSA signatures for authentication</A></LI>
97 <LI><A HREF="#basic.conf">The configuration file</A></LI>
99 <LI><A HREF="#setup.conf">The setup section of ipsec.conf(5)</A></LI>
100 <LI><A HREF="#conn.default">Connection defaults</A></LI>
101 <LI><A HREF="#edit.conn">Editing a connection description</A></LI>
102 <LI><A HREF="#which">Which is which?</A></LI>
104 <LI><A HREF="#examples">Example setups</A></LI>
106 <LI><A HREF="#VPNex">VPN</A></LI>
107 <LI><A HREF="#roadex">Road Warrior</A></LI>
108 <LI><A HREF="#oppex">Opportunistic encryption</A></LI>
110 <LI><A HREF="#handy">Simplifying ipsec.conf files</A></LI>
111 <LI><A HREF="#fw.basic">Is there a firewall in play?</A></LI>
112 <LI><A HREF="#testing">Testing the installation</A></LI>
114 <LI><A HREF="#matching">Matching numbers</A></LI>
115 <LI><A HREF="#testsetup">Sanity checking</A></LI>
116 <LI><A HREF="#test">Starting a connection</A></LI>
117 <LI><A HREF="#pingtest">Ping tests</A></LI>
118 <LI><A HREF="#tcpdump">Testing with tcpdump</A></LI>
120 <LI><A HREF="#links.conf">What next?</A></LI>
121 <LI><A HREF="#otherconf">Other configuration possibilities</A></LI>
123 <LI><A HREF="#choose">Choosing connection types</A></LI>
124 <LI><A HREF="#prodsecrets">Using shared secrets in production</A></LI>
125 <LI><A HREF="#prodman">Using manual keying in production</A></LI>
126 <LI><A HREF="#boot">Setting up connections at boot time</A></LI>
127 <LI><A HREF="#multitunnel">Multiple tunnels between the same two
129 <LI><A HREF="#biggate">Many tunnels from a single gateway</A></LI>
130 <LI><A HREF="#extruded">Extruded Subnets</A></LI>
131 <LI><A HREF="#roadvirt">Road Warrior with virtual IP address</A></LI>
132 <LI><A HREF="#dynamic">Dynamic Network Interfaces</A></LI>
133 <LI><A HREF="#unencrypted">Unencrypted tunnels</A></LI>
136 <B><A HREF="#manpages">FreeS/WAN manual pages</A></B>
138 <LI><A HREF="#man.file">Files</A></LI>
139 <LI><A HREF="#man.command">Commands</A></LI>
140 <LI><A HREF="#man.lib">Library routines</A></LI>
142 <B><A HREF="#firewall">FreeS/WAN and firewalls</A></B>
144 <LI><A HREF="#packets">IPSEC packets</A></LI>
146 <LI><A HREF="#noport">ESP and AH do not have ports</A></LI>
147 <LI><A HREF="#header">Header layout</A></LI>
149 <LI><A HREF="#filters">Filtering rules for IPSEC packets</A></LI>
151 <LI><A HREF="#through">IPSEC through the gateway</A></LI>
152 <LI><A HREF="#ipsec_only">Preventing non-IPSEC traffic</A></LI>
153 <LI><A HREF="#unknowngate">Filtering packets from unknown gateways</A></LI>
155 <LI><A HREF="#otherfilter">Other packet filters</A></LI>
157 <LI><A HREF="#ICMP">ICMP filtering</A></LI>
158 <LI><A HREF="#traceroute">UDP packets for traceroute</A></LI>
159 <LI><A HREF="#l2tp">UDP for L2TP</A></LI>
161 <LI><A HREF="#NAT">IPSEC and NAT</A></LI>
163 <LI><A HREF="#nat_ok">NAT on or behind the IPSEC gateway works</A></LI>
164 <LI><A HREF="#nat_bad">NAT between gateways is problematic</A></LI>
165 <LI><A HREF="#">Other references on NAT and IPSEC</A></LI>
167 <LI><A HREF="#updown">Calling firewall scripts, named in ipsec.conf(5)</A>
170 <LI><A HREF="#pre_post">Scripts called at IPSEC start and stop</A></LI>
171 <LI><A HREF="#up_down">Scripts called at connection up and down</A></LI>
172 <LI><A HREF="#ipchains.script">Scripts for ipchains</A></LI>
173 <LI><A HREF="#dhr">DHR on the updown script</A></LI>
174 <LI><A HREF="#exupdownchains">Example updown script for ipchains</A></LI>
176 <LI><A HREF="#examplefw">Ipchains firewall configuration at boot</A></LI>
178 <LI><A HREF="#Ranch.trinity">Scripts based on Ranch's work</A></LI>
179 <LI><A HREF="#seawall">The Seattle firewall</A></LI>
180 <LI><A HREF="#rcf">The RCF scripts</A></LI>
183 <B><A HREF="#debug">Linux FreeS/WAN Troubleshooting</A></B>
185 <LI><A HREF="#report">Problem Reporting</A></LI>
186 <LI><A HREF="#logusage">Logs used</A></LI>
187 <LI><A HREF="#info">Information available on your system</A></LI>
189 <LI><A HREF="#pages">man pages provided</A></LI>
190 <LI><A HREF="#statusinfo">Status information</A></LI>
192 <LI><A HREF="#pluto.problems">Pluto problem hints</A></LI>
194 <LI><A HREF="#gdb.pluto">Using GDB on Pluto</A></LI>
196 <LI><A HREF="#ifconfig">ifconfig reports for KLIPS debugging</A></LI>
197 <LI><A HREF="#testgates">Testing between security gateways</A></LI>
198 <LI><A HREF="#c.guide">Claudia's guide</A></LI>
200 <B><A HREF="#kernelconfig">Kernel configuration for FreeS/WAN</A></B>
202 <LI><A HREF="#notall">Not everyone needs to worry about kernel
203 configuration</A></LI>
204 <LI><A HREF="#assume">Assumptions and notation</A></LI>
206 <LI><A HREF="#labels">Labels used</A></LI>
208 <LI><A HREF="#kernelopt">Kernel options for FreeS/WAN</A></LI>
210 <B><A HREF="#roadmap">Distribution Roadmap: What's Where in Linux
213 <LI><A HREF="#top">Top directory</A></LI>
214 <LI><A HREF="#doc">Documentation</A></LI>
215 <LI><A HREF="#klips.roadmap">KLIPS: kernel IP security</A></LI>
216 <LI><A HREF="#pluto.roadmap">Pluto key and connection management daemon</A>
218 <LI><A HREF="#utils">Utils</A></LI>
219 <LI><A HREF="#lib">Libraries</A></LI>
221 <LI><A HREF="#fswanlib">FreeS/WAN Library</A></LI>
222 <LI><A HREF="#otherlib">Imported Libraries</A></LI>
225 <B><A HREF="#compat">Linux FreeS/WAN Compatibility Guide</A></B>
227 <LI><A HREF="#spec">Implemented parts of the IPSEC Specification</A></LI>
229 <LI><A HREF="#in">In Linux FreeS/WAN</A></LI>
230 <LI><A HREF="#dropped">Deliberately ommitted</A></LI>
231 <LI><A HREF="#not">Not (yet) in Linux FreeS/WAN</A></LI>
233 <LI><A HREF="#pfkey">Our PF-Key implementation</A></LI>
235 <LI><A HREF="#pfk.port">PF-Key portability</A></LI>
237 <LI><A HREF="#otherk">Kernels other than 2.0.38 and 2.2.18</A></LI>
239 <LI><A HREF="#kernel.2.0">Other 2.0.x Intel Kernels</A></LI>
240 <LI><A HREF="#kernel.production">2.2 and 2.4 Kernels</A></LI>
242 <LI><A HREF="#otherdist">Intel Linux distributions other than Redhat</A></LI>
244 <LI><A HREF="#rh7">Redhat 7.0</A></LI>
245 <LI><A HREF="#suse">SuSE Linux</A></LI>
246 <LI><A HREF="#slack">Slackware</A></LI>
247 <LI><A HREF="#deb">Debian</A></LI>
248 <LI><A HREF="#caldera">Caldera</A></LI>
250 <LI><A HREF="#CPUs">CPUs other than Intel</A></LI>
252 <LI><A HREF="# strongarm">Corel Netwinder (StrongARM CPU)</A></LI>
253 <LI><A HREF="#yellowdog">Yellow Dog Linux on Power PC</A></LI>
254 <LI><A HREF="#mklinux">Mklinux</A></LI>
255 <LI><A HREF="#alpha">Alpha 64-bit processors</A></LI>
256 <LI><A HREF="#SPARC">Sun SPARC processors</A></LI>
257 <LI><A HREF="#mips">MIPS processors</A></LI>
258 <LI><A HREF="#coldfire">Motorola Coldfire</A></LI>
260 <LI><A HREF="#multiprocessor">Multiprocessor machines</A></LI>
261 <LI><A HREF="#hardware">Support for crypto hardware</A></LI>
262 <LI><A HREF="#ipv6">IP version 6 (IPng)</A></LI>
264 <LI><A HREF="#v6.back">IPv6 background</A></LI>
267 <B><A HREF="#10">Interoperation with other IPSEC implementations</A></B>
269 <LI><A HREF="#patch.interop">Patches to extend interoperability</A></LI>
270 <LI><A HREF="#interop.problem">Interoperability problems</A></LI>
272 <LI><A HREF="#noDES">Systems that want to use single DES</A></LI>
274 <LI><A HREF="#otherpub">Interop HowTo documents</A></LI>
275 <LI><A HREF="#mail.interop">Interoperation with specific products</A></LI>
277 <LI><A HREF="#oldswan">Older versions of FreeS/WAN</A></LI>
278 <LI><A HREF="#OpenBSD">OpenBSD</A></LI>
279 <LI><A HREF="#FreeBSD">FreeBSD</A></LI>
280 <LI><A HREF="#NetBSD">NetBSD</A></LI>
281 <LI><A HREF="#Cisco">Cisco Routers</A></LI>
282 <LI><A HREF="#bay">Nortel (Bay Networks) Contivity switch</A></LI>
283 <LI><A HREF="#Raptor">Raptor Firewall</A></LI>
284 <LI><A HREF="#gauntlet">Gauntlet firewall GVPN</A></LI>
285 <LI><A HREF="#checkpoint">Checkpoint Firewall-1</A></LI>
286 <LI><A HREF="#redcreek">Redcreek Ravlin</A></LI>
287 <LI><A HREF="#sentinel">SSH Sentinel</A></LI>
288 <LI><A HREF="#Fsecure">F-Secure VPN for Windows</A></LI>
289 <LI><A HREF="#watchguard">Watchguard</A></LI>
290 <LI><A HREF="#Xedia">Xedia Access Point/QVPN</A></LI>
291 <LI><A HREF="#pgpnet">PGP Mac and Windows IPSEC Client</A></LI>
292 <LI><A HREF="#IRE">IRE Safenet/SoftPK</A></LI>
293 <LI><A HREF="#borderware">Borderware</A></LI>
294 <LI><A HREF="#freegate">Freegate</A></LI>
295 <LI><A HREF="#timestep">Timestep</A></LI>
296 <LI><A HREF="#shiva">Shiva/Intel LANrover</A></LI>
297 <LI><A HREF="#solaris">Sun Solaris</A></LI>
298 <LI><A HREF="#sonicwall">Sonicwall</A></LI>
299 <LI><A HREF="#radguard">Radguard</A></LI>
300 <LI><A HREF="#winclient">Windows clients</A></LI>
301 <LI><A HREF="#NTdomain">NT domains vs. tunnels</A></LI>
302 <LI><A HREF="#win2k">Windows 2000</A></LI>
305 <B><A HREF="#politics">History and politics of cryptography</A></B>
307 <LI><A HREF="#intro.politics">Introduction</A></LI>
309 <LI><A HREF="#11_1_1">History</A></LI>
310 <LI><A HREF="#intro.poli">Politics</A></LI>
311 <LI><A HREF="#11_1_3">Links</A></LI>
312 <LI><A HREF="#11_1_4">Outline of this section</A></LI>
314 <LI><A HREF="#leader">From our project leader</A></LI>
316 <LI><A HREF="#gilmore">Swan: Securing the Internet against Wiretapping</A>
318 <LI><A HREF="#policestate">Stopping wholesale monitoring</A></LI>
320 <LI><A HREF="#weak">Government promotion of weak crypto</A></LI>
322 <LI><A HREF="#escrow">Escrowed encryption</A></LI>
323 <LI><A HREF="#shortkeys">Limited key lengths</A></LI>
325 <LI><A HREF="#exlaw">Cryptography Export Laws</A></LI>
327 <LI><A HREF="#USlaw">US Law</A></LI>
328 <LI><A HREF="#wrong">What's wrong with restrictions on cryptography</A></LI>
329 <LI><A HREF="#Wassenaar">The Wassenaar Arrangement</A></LI>
330 <LI><A HREF="#status">Export status of Linux FreeS/WAN</A></LI>
331 <LI><A HREF="#help">Help spread IPSEC around</A></LI>
333 <LI><A HREF="#desnotsecure">DES is Not Secure</A></LI>
335 <LI><A HREF="#deshware">Dedicated hardware breaks DES in a few days</A></LI>
336 <LI><A HREF="#spooks">Spooks may break DES faster yet</A></LI>
337 <LI><A HREF="#desnet">Networks break DES in a few weeks</A></LI>
338 <LI><A HREF="#no_des">We disable DES</A></LI>
339 <LI><A HREF="#40joke">40-bits is laughably weak</A></LI>
340 <LI><A HREF="#altdes">Triple DES is almost certainly secure</A></LI>
341 <LI><A HREF="#aes.ipsec">AES in IPSEC</A></LI>
343 <LI><A HREF="#press">Press coverage of Linux FreeS/WAN:</A></LI>
345 <LI><A HREF="#11_6_1">FreeS/WAN 1.0 press</A></LI>
346 <LI><A HREF="#release">Press release for version 1.0</A></LI>
349 <B><A HREF="#ipsec.detail">The IPSEC protocols</A></B>
351 <LI><A HREF="#others">Applying IPSEC</A></LI>
353 <LI><A HREF="#advantages">Advantages of IPSEC</A></LI>
354 <LI><A HREF="#limitations">Limitations of IPSEC</A></LI>
355 <LI><A HREF="#uses">IPSEC is a general mechanism for securing IP</A></LI>
356 <LI><A HREF="#authonly">Using authentication without encryption</A></LI>
357 <LI><A HREF="#encnoauth">Encryption without authentication is dangerous</A>
359 <LI><A HREF="#multilayer">Multiple layers of IPSEC processing are
361 <LI><A HREF="#traffic.resist">Resisting traffic analysis</A></LI>
363 <LI><A HREF="#primitives">Cryptographic components</A></LI>
365 <LI><A HREF="#block.cipher">Block ciphers</A></LI>
366 <LI><A HREF="#hash.ipsec">Hash functions</A></LI>
367 <LI><A HREF="#DH.keying">Diffie-Hellman key agreement</A></LI>
368 <LI><A HREF="#RSA.auth">RSA authentication</A></LI>
370 <LI><A HREF="#structure">Structure of IPSEC</A></LI>
372 <LI><A HREF="#IKE.ipsec">IKE (Internet Key Exchange)</A></LI>
373 <LI><A HREF="#services">IPSEC Services, AH and ESP</A></LI>
374 <LI><A HREF="#AH.ipsec">The Authentication Header (AH)</A></LI>
375 <LI><A HREF="#ESP.ipsec">Encapsulated Security Payload (ESP)</A></LI>
377 <LI><A HREF="#modes">IPSEC modes</A></LI>
379 <LI><A HREF="#tunnel.ipsec">Tunnel mode</A></LI>
380 <LI><A HREF="#transport.ipsec">Transport mode</A></LI>
382 <LI><A HREF="#parts">FreeS/WAN parts</A></LI>
384 <LI><A HREF="#KLIPS.ipsec">KLIPS: Kernel IPSEC Support</A></LI>
385 <LI><A HREF="#Pluto.ipsec">The Pluto daemon</A></LI>
386 <LI><A HREF="#command">The ipsec(8) command</A></LI>
387 <LI><A HREF="#ipsec.conf">Linux FreeS/WAN configuration file</A></LI>
389 <LI><A HREF="#key">Key management</A></LI>
391 <LI><A HREF="#current">Currently Implemented Methods</A></LI>
392 <LI><A HREF="#notyet">Methods not yet implemented</A></LI>
395 <B><A HREF="#lists">Mailing lists and newsgroups</A></B>
397 <LI><A HREF="#list.fs">Mailing lists about FreeS/WAN</A></LI>
399 <LI><A HREF="#projlist">The project mailing lists</A></LI>
400 <LI><A HREF="#archive">Archives of the lists</A></LI>
402 <LI><A HREF="#indexes">Indexes of mailing lists</A></LI>
403 <LI><A HREF="#otherlists">Lists for related software and topics</A></LI>
405 <LI><A HREF="#linux.lists">Linux mailing lists</A></LI>
406 <LI><A HREF="#ietf">Lists for IETF working groups</A></LI>
407 <LI><A HREF="#other">Other mailing lists</A></LI>
409 <LI><A HREF="#newsgroups">Usenet newsgroups</A></LI>
411 <B><A HREF="#weblink">Web links</A></B>
413 <LI><A HREF="#freeswan">The Linux FreeS/WAN Project</A></LI>
415 <LI><A HREF="#patch">Add-ons and patches for FreeS/WAN</A></LI>
416 <LI><A HREF="#dist">Distributions including FreeS/WAN</A></LI>
417 <LI><A HREF="#used">Things FreeS/WAN uses or could use</A></LI>
418 <LI><A HREF="#alternatives">Other approaches to VPNs for Linux</A></LI>
420 <LI><A HREF="#ipsec.link">The IPSEC Protocols</A></LI>
422 <LI><A HREF="#general">General IPSEC or VPN information</A></LI>
423 <LI><A HREF="#overview">IPSEC overview documents or slide sets</A></LI>
424 <LI><A HREF="#otherlang">IPSEC information in languages other than
426 <LI><A HREF="#RFCs1">RFCs and other reference documents</A></LI>
427 <LI><A HREF="#analysis">Analysis and critiques of IPSEC protocols</A></LI>
428 <LI><A HREF="#IP.background">Background information on IP</A></LI>
430 <LI><A HREF="#implement">IPSEC Implementations</A></LI>
432 <LI><A HREF="#linuxprod">Linux products</A></LI>
433 <LI><A HREF="#router">IPSEC in router products</A></LI>
434 <LI><A HREF="#fw.web">IPSEC in firewall products</A></LI>
435 <LI><A HREF="#ipsecos">Operating systems with IPSEC support</A></LI>
436 <LI><A HREF="#opensource">Open source IPSEC implementations</A></LI>
437 <LI><A HREF="#interop">Interoperability</A></LI>
439 <LI><A HREF="#linux.link">Linux links</A></LI>
441 <LI><A HREF="#linux.basic">Basic and tutorial Linux information</A></LI>
442 <LI><A HREF="#general">General Linux sites</A></LI>
443 <LI><A HREF="#docs1">Documentation</A></LI>
444 <LI><A HREF="#advroute.web">Advanced routing</A></LI>
445 <LI><A HREF="#linsec">Security for Linux</A></LI>
446 <LI><A HREF="#firewall.linux">Linux firewalls</A></LI>
447 <LI><A HREF="#linux.misc">Miscellaneous Linux information</A></LI>
449 <LI><A HREF="#crypto.link">Crypto and security links</A></LI>
451 <LI><A HREF="#security">Crypto and security resources</A></LI>
452 <LI><A HREF="#policy">Cryptography law and policy</A></LI>
453 <LI><A HREF="#crypto.tech">Cryptography technical information</A></LI>
454 <LI><A HREF="#compsec">Computer and network security</A></LI>
455 <LI><A HREF="#people">Links to home pages</A></LI>
458 <B><A HREF="#ourgloss">Glossary for the Linux FreeS/WAN project</A></B>
460 <LI><A HREF="#jump">Jump to a letter in the glossary</A></LI>
461 <LI><A HREF="#gloss">Other glossaries</A></LI>
462 <LI><A HREF="#definitions">Definitions</A></LI>
464 <B><A HREF="#biblio">Bibliography for the Linux FreeS/WAN project</A></B>
466 <BR><B><A HREF="#RFC">IPSEC RFCs and related documents</A></B>
468 <LI><A HREF="#RFCfile">The RFCs.tar.gz Distribution File</A></LI>
469 <LI><A HREF="#sources">Other sources for RFCs & Internet drafts</A></LI>
471 <LI><A HREF="#RFCdown">RFCs</A></LI>
472 <LI><A HREF="#drafts">Internet Drafts</A></LI>
473 <LI><A HREF="#FIPS1">FIPS standards</A></LI>
474 <LI><A HREF="#doc.cd">Document CDs</A></LI>
476 <LI><A HREF="#RFCs.tar.gz">What's in the RFCs.tar.gz bundle?</A></LI>
478 <LI><A HREF="#rfc.ov">Overview RFCs</A></LI>
479 <LI><A HREF="#basic.prot">Basic protocols</A></LI>
480 <LI><A HREF="#key.ike">Key management</A></LI>
481 <LI><A HREF="#rfc.detail">Details of various things used</A></LI>
482 <LI><A HREF="#rfc.ref">Older RFCs which may be referenced</A></LI>
483 <LI><A HREF="#rfc.dns">RFCs for secure DNS service, which IPSEC may use</A>
485 <LI><A HREF="#rfc.exp">RFCs labelled "experimental"</A></LI>
486 <LI><A HREF="#rfc.rel">Related RFCs</A></LI>
489 <B><A HREF="#18">FreeS/WAN FAQ</A></B>
491 <LI><A HREF="#questions">Questions</A></LI>
492 <LI><A HREF="#whatzit"> What is FreeS/WAN?</A></LI>
493 <LI><A HREF="#problems">How do I report a problem or seek help?</A></LI>
494 <LI><A HREF="#generic">Generic questions</A></LI>
496 <LI><A HREF="#lemme_out">This is too complicated. Isn't there an easier
498 <LI><A HREF="#commercial">Can I get commercial support for this product?</A>
500 <LI><A HREF="#modify.faq">Can I modify FreeS/WAN to ...?</A></LI>
501 <LI><A HREF="#contrib.faq">Can I contribute to the project?</A></LI>
502 <LI><A HREF="#ddoc.faq">Is there detailed design documentation?</A></LI>
503 <LI><A HREF="#interop.faq">Can FreeS/WAN talk to ...?</A></LI>
504 <LI><A HREF="#old_to_new">Can different FreeS/WAN versions talk to each
506 <LI><A HREF="#versions">Does FreeS/WAN run on my version of Linux?</A></LI>
507 <LI><A HREF="#k.versions">Does FreeS/WAN run on the latest kernel
509 <LI><A HREF="#faq.speed">Is a ... fast enough to handle FreeS/WAN with
510 ... connections?</A></LI>
512 <LI><A HREF="#compile.faq">Compilation problems</A></LI>
514 <LI><A HREF="#gmp.h_missing">gmp.h: No such file or directory</A></LI>
515 <LI><A HREF="#noVM">... virtual memory exhausted</A></LI>
517 <LI><A HREF="#setup.faq">Life's little mysteries</A></LI>
519 <LI><A HREF="#cantping">I cannot ping ....</A></LI>
520 <LI><A HREF="#forever">It takes forever to ...</A></LI>
521 <LI><A HREF="#route">I send packets to the tunnel with route(8) but
523 <LI><A HREF="#down_route">When a tunnel goes down, packets vanish</A></LI>
524 <LI><A HREF="#firewall_ate">The firewall ate my packets!</A></LI>
525 <LI><A HREF="#dropconn">Dropped connections</A></LI>
526 <LI><A HREF="#tcpdump.faq">TCPdump on the gateway shows strange things</A>
528 <LI><A HREF="#no_trace">Traceroute does not show anything between the
531 <LI><A HREF="#man4debug">Testing in stages</A></LI>
533 <LI><A HREF="#nomanual">Manually keyed connections don't work</A></LI>
534 <LI><A HREF="#spi_error">One manual connection works, but second one
536 <LI><A HREF="#man_no_auto">Manual connections work, but automatic
537 keying doesn't</A></LI>
538 <LI><A HREF="#nocomp">IPSEC works, but connections using compression
540 <LI><A HREF="#pmtu.broken">Small packets work, but large transfers fail</A>
542 <LI><A HREF="#subsub">Subnet-to-subnet works, but tests from the
543 gateways don't</A></LI>
545 <LI><A HREF="#error">Interpreting error messages</A></LI>
547 <LI><A HREF="#unreachable">SIOCADDRT:Network is unreachable</A></LI>
548 <LI><A HREF="#noKLIPS">ipsec_setup: Fatal error, kernel appears to lack
550 <LI><A HREF="#noDNS">ipsec_setup: ... failure to fetch key for ... from
552 <LI><A HREF="#dup_address">ipsec_setup: ... interfaces ... and ...
553 share address ...</A></LI>
554 <LI><A HREF="#kflags">ipsec_setup: Cannot adjust kernel flags</A></LI>
555 <LI><A HREF="#conn_name">Connection names in Pluto error messages</A></LI>
556 <LI><A HREF="#cantorient">Pluto: ... can't orient connection</A></LI>
557 <LI><A HREF="#noconn">Pluto: ... no connection is known</A></LI>
558 <LI><A HREF="#nosuit">Pluto: ... no suitable connection ...</A></LI>
559 <LI><A HREF="#noconn.auth">Pluto: ... no connection has been authorized</A>
561 <LI><A HREF="#noDESsupport">Pluto: ... OAKLEY_DES_CBC is not supported.</A>
563 <LI><A HREF="#notransform"> Pluto: ... no acceptable transform</A></LI>
564 <LI><A HREF="#econnrefused">ECONNREFUSED error message</A></LI>
565 <LI><A HREF="#SAused">... trouble writing to /dev/ipsec ... SA already
567 <LI><A HREF="#ignore">... ignoring ... payload</A></LI>
569 <LI><A HREF="#canI">Can I ...</A></LI>
571 <LI><A HREF="#reload">Can I reload connection info without restarting?</A>
573 <LI><A HREF="#masq.faq">Can I use several masqueraded subnets?</A></LI>
574 <LI><A HREF="#dup_route">Can I use subnets masqueraded to the same
576 <LI><A HREF="#road.masq">Can I assign a road warrior an address on my
578 <LI><A HREF="#QoS">Can I use Quality of Service routing with FreeS/WAN?</A>
580 <LI><A HREF="#deadtunnel">Can I recognise dead tunnels and shut them
582 <LI><A HREF="#demanddial">Can I build IPSEC tunnels over a
583 demand-dialed link?</A></LI>
584 <LI><A HREF="#GRE">Can I build GRE tunnels over IPSEC?</A></LI>
585 <LI><A HREF="#PKIcert"> Does FreeS/WAN support X.509 or other PKI
586 certificates?</A></LI>
587 <LI><A HREF="#Radius">Does FreeS/WAN support Radius or other user
588 authentication?</A></LI>
589 <LI><A HREF="#noDES.faq">Does FreeS/WAN support single DES encryption?</A>
592 <LI><A HREF="#spam">Why don't you restrict the mailing lists to reduce
595 <B><A HREF="#performance">Performance of FreeS/WAN</A></B>
597 <LI><A HREF="#methods">Methods of mesasuring</A></LI>
600 <H1><A name="intro">Introduction</A></H1>
601 <P>This section gives an overview of:</P>
603 <LI>what IP Security (IPSEC) does</LI>
604 <LI>how IPSEC works</LI>
605 <LI>why we are implementing it for Linux</LI>
606 <LI>how this implementation works</LI>
608 <P> This section is intended to cover only the essentials, <EM>things
609 you should know before trying to use FreeS/WAN.</EM></P>
610 <P> For more detailed background information, see the <A href="politics.html">
611 history and politics</A> and <A href="ipsec.html">IPSEC protocols</A>
613 <H2><A name="ipsec.intro">IPSEC, Security for the Internet Protocol</A></H2>
614 <P> FreeS/WAN is a Linux implementation of the IPSEC (IP security)
615 protocols. IPSEC provides encryption and authentication services at the
616 IP (Internet Protocol) level of the network protocol stack. </P>
617 <P> Working at this level, IPSEC can protect any traffic carried over
618 IP, unlike other encryption which generally protects only a particular
619 higher-level protocol -- <A href="#PGP">PGP</A> for mail, <A href="#SSH">
620 SSH</A> for remote login, <A href="#SSL">SSL</A> for web work, and so
621 on. This has both advantages and disadvantages, discussed in our <A href="#others">
622 IPSEC section</A></P>
623 <P> IPSEC can be used on any machine which does IP networking.
624 Dedicated IPSEC gateway machines can be installed wherever required to
625 protect traffic. IPSEC can also run on routers, on firewall machines,
626 on various application servers, and on end-user desktop or laptop
628 <P> Three protocols are used</P>
630 <LI><A href="#AH">AH</A> (Authentication Header) provides a
631 packet-level authentication service</LI>
632 <LI><A href="#ESP">ESP</A> (Encapsulating Security Payload) provides
633 encryption plus authentication</LI>
634 <LI><A href="#IKE">IKE</A> (Internet Key Exchange) negotiates
635 connection parameters, including keys, for the other two</LI>
637 <P> Our implementation has three main parts:</P>
639 <LI><A href="#KLIPS">KLIPS</A> (kernel IPSEC) implements AH, ESP, and
640 packet handling within the kernel</LI>
641 <LI><A href="#Pluto">Pluto</A> (an IKE daemon) implements IKE,
642 negotiating connections with other systems</LI>
643 <LI>various scripts provide an adminstrator's interface to the
646 <P> IPSEC is optional for the current (version 4) Internet Protocol.
647 FreeS/WAN adds IPSEC to the Linux IPv4 network stack. Implementations
648 of <A href="#ipv6.gloss">IP version 6</A> are required to include
649 IPSEC. Work toward integrating FreeS/WAN into the Linux IPv6 stack has <A
650 href="#ipv6">started</A>.</P>
651 <P>For more information on IPSEC, see our <A href="ipsec.html">IPSEC
652 protocols</A> section, our collection of <A href="#ipsec.link">IPSEC
653 links</A> or the <A href="rfc.html">RFCs</A> which are the official
654 definitions of these protocols.</P>
655 <H3><A name="intro.interop">Interoperating with other IPSEC
656 implementations</A></H3>
657 <P>IPSEC is designed to let different implementations work together. We
660 <LI>a <A href="#implement">list</A> of some other implementations</LI>
661 <LI>information on <A href="interop.html">using FreeS/WAN with other
662 implementations</A></LI>
664 <P> The VPN Consortium fosters cooperation among implementers and
665 interoperability among implementations. Their <A href="http://www.vpnc.org/">
666 web site</A> has much more information. </P>
667 <H3><A name="applications">Applications of IPSEC</A></H3>
668 <P> Because IPSEC operates at the network layer, it is remarkably
669 flexible and can be used to secure nearly any type of Internet traffic.
670 Two applications, however, are extremely widespread:</P>
672 <LI>a <A href="#vpn">Virtual Private Network</A>, or VPN, allows
673 multiple sites to communicate securely over an insecure Internet by
674 encrypting all communication between the sites.</LI>
675 <LI>"Road Warriors" connect to the office from home, or perhaps from a
678 <P> There is enough opportunity in these applications that vendors are
679 flocking to them. IPSEC is being built into routers, into firewall
680 products, and into major operating systems, primarily to support these
681 applications. See our <A href="#implement">list</A> of implementations
683 <P> We support both of those applications, and various less common
684 IPSEC applications as well, but we also add one of our own:</P>
686 <LI>opportunistic encryption, the ability to set up FreeS/WAN gateways
687 so that any two of them can encrypt to each other, and will do so
688 whenever packets pass between them.</LI>
690 <P>This is an extension we are adding to the protocols. FreeS/WAN is
691 the first prototype implementation, though we hope other IPSEC
692 implementations will adopt the technique once we demonstrate it. See <A href="#goals">
693 project goals</A> below for why we think this is important.</P>
694 <P>A somewhat more detailed description of each of these applications
695 is below. Our <A href="config.html">setup</A> section will show you how
696 to build each of them.</P>
697 <H4><A name="makeVPN">Using secure tunnels to create a VPN</A></H4>
698 <P> A VPN, or <STRONG>V</STRONG>irtual <STRONG>P</STRONG>rivate <STRONG>
699 N</STRONG>etwork lets two networks communicate securely when the only
700 connection between them is over a third network which they do not trust.</P>
701 <P>The method is to put a security gateway machine between each of the
702 communicating networks and the untrusted network. The gateway machines
703 encrypt packets entering the untrusted net and decrypt packets leaving
704 it, creating a secure tunnel through it.</P>
705 <P>If the cryptography is strong, the implementation is careful, and
706 the administration of the gateways is competent, then one can
707 reasonably trust the security of the tunnel. The two networks then
708 behave like a single large private network, some of whose links are
709 encrypted tunnels through untrusted nets.</P>
710 <P>Actual VPNs are often more complex. One organisation may have fifty
711 branch offices, plus some suppliers and clients, with whom it needs to
712 communicate securely. Another might have 5,000 stores, or 50,000
713 point-of-sale devices. The untrusted network need not be the Internet.
714 All the same issues arise on a corporate or institutional network
715 whenever two departments want to communicate privately with each other.</P>
716 <P>Administratively, the nice thing about many VPN setups is that large
717 parts of them are static. You know the IP addresses of most of the
718 machines involved. More important, you know they will not change on
719 you. This simplifies some of the admin work. For cases where the
720 addresses do change, see the next section.</P>
721 <H4><A name="road.intro">Road Warriors</A></H4>
722 <P> The prototypical "Road Warrior" is a traveller connecting to home
723 base from a laptop machine. Administratively, most of the same problems
724 arise for a telecommuter connecting from home to the office, especially
725 if the telecommuter does not have a static IP address.</P>
726 <P>For purposes of this document:</P>
728 <LI>anyone with a dynamic IP address is a "Road Warrior".</LI>
729 <LI>any machine doing IPSEC processing is a "gateway". Think of the
730 single-user road warrior machine as a gateway with a degenerate subnet
731 (one machine, itself) behind it.</LI>
733 <P> These require somewhat different setup than VPN gateways with
734 static addresses and with client systems behind them, but are basically
736 <P> There are some difficulties which appear for some road warrior
739 <LI>Road Wariors who get their addresses via DHCP may have a problem.
740 FreeS/WAN can quite happily build and use a tunnel to such an address,
741 but when the DHCP lease expires, FreeS/WAN does not know that. The
742 tunnel fails, and the only recovery method is to tear it down and
744 <LI>If Network Address Translation (NAT) is applied between the two
745 IPSEC Gateways, this breaks IPSEC. IPSEC authenticates packets on an
746 end-to-end basis, to ensure they are not altered en route. NAT
747 rewrites packets as they go by. See our <A href="#NAT">firewalls</A>
748 document for details.</LI>
750 <P> In most situations, however, FreeS/WAN supports road warrior
751 connections just fine.</P>
752 <H4><A name="opp.intro">Opportunistic encryption</A></H4>
753 <P> One of the reasons we are working on FreeS/WAN is that it gives us
754 the opportunity to add what we call opportuntistic encryption. This
755 means that any two FreeS/WAN gateways will be able to encrypt their
756 traffic, <EM>even if the two gateway administrators have had no prior
757 contact and neither system has any preset information about the other</EM>
758 . We hope this will go some distance toward creating a secure
759 Internet, an environment where message privacy is the default. See our <A
760 href="politics.html">history and politics of cryptography</A> section
762 <P> Both systems pick up the authentication information they need from
763 the <A href="glossary.html#DNS.gloss">DNS</A> (domain name service),
764 the service they already use to look up IP addresses. Of course the
765 administrators must put that information in the DNS, and must set up
766 their gateways with opportunistic encryption enabled. Once that is
767 done, everything is automatic. The gateways look for opportunities to
768 encrypt, and encrypt whatever they can. Whether they also accept
769 unencrypted communication is a policy decision the administrator can
771 <P> A draft document giving most of the details of how we plan to
772 implement this has been posted to the mailing list. See <A href="#applied">
774 <P> Only one current product we know of implements a form of
775 opportunistic encryption. <A href="#ssmail">Secure sendmail</A> will
776 automatically encrypt server-to-server mail transfers whenever possible.</P>
777 <H3><A name="types">The need to authenticate gateways</A></H3>
778 <P>A complication, which applies to any type of connection -- VPN, Road
779 Warrior or opportunistic -- is that a secure connection cannot be
780 created magically. <EM>There must be some mechanism which enables the
781 gateways to reliably identify each other.</EM> Without this, they
782 cannot sensibly trust each other and cannot create a genuinely secure
784 <P>Any link they do create without some form of <A href="#authentication">
785 authentication</A> will be vulnerable to a <A href="#middle">
786 man-in-the-middle attack</A>. If <A href="#alicebob">Alice and Bob</A>
787 are the people creating the connection, a villian who can re-route or
788 intercept the packets can pose as Alice while talking to Bob and pose
789 as Bob while talking to Alice. Alice and Bob then both talk to the man
790 in the middle, thinking they are talking to each other, and the villain
791 gets everything sent on the bogus "secure" connection.</P>
792 <P>There are two ways to build links securely, both of which exclude
793 the man-in-the middle:</P>
795 <LI>with <STRONG>manual keying</STRONG>, Alice and Bob share a secret
796 key (which must be transmitted securely, perhaps in a note or via PGP
797 or SSH) to encrypt their messages. For FreeS/WAN, such keys are stored
798 in the <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A> file. Of
799 course, if an enemy gets the key, all is lost.</LI>
800 <LI>with <STRONG>automatic keying</STRONG>, the two systems
801 authenticate each other and negotiate their own secret keys. The keys
802 are automatically changed periodically.</LI>
804 <P> Automatic keying is much more secure, since if an enemy gets one
805 key only messages between the previous re-keying and the next are
806 exposed. It is therefore the usual mode of operation for most IPSEC
807 deployment, and the mode we use in our setup examples. FreeS/WAN does
808 support manual keying for special circumstanes. See this <A href="#prodman">
810 <P> For automatic keying, the two systems must authenticate each other
811 during the negotiations. There is a choice of methods for this:</P>
813 <LI>a <STRONG>shared secret</STRONG> provides authentication. If Alice
814 and Bob are the only ones who know a secret and Alice recives a
815 message which could not have been created without that secret, then
816 Alice can safely believe the message came from Bob.</LI>
817 <LI>a <A href="#public">public key</A> can also provide authentication.
818 If Alice receives a message signed with Bob's private key (which of
819 course only he should know) and she has a trustworthy copy of his
820 public key (so that she can verify the signature), then she can safely
821 believe the message came from Bob.</LI>
823 <P> Public key techniques are much preferable, for reasons discussed <A href="#choose">
824 later</A>, and will be used in all our setup examples. FreeS/WAN does
825 also support auto-keying with shared secret authentication. See this <A href="#prodsecrets">
827 <H2><A name="project">The FreeS/WAN project</A></H2>
828 <H3><A name="goals">Project goals</A></H3>
829 <P> Our overall goal in FreeS/WAN is to make the Internet more secure
830 and more private.</P>
831 <P> Our IPSEC implementation supports VPNs and Road Warriors of course.
832 Those are important applications. Many users will want FreeS/WAN to
833 build corporate VPNs or to provide secure remote access. </P>
834 <P> However, our goals in building it go beyond that. We are trying to
835 help <STRONG>build security into the fabric of the Internet</STRONG> so
836 that anyone who choses to communicate securely can do so, as easily as
837 they can do anything else on the net.</P>
838 <P>More detailed objectives are:</P>
840 <LI>help make IPSEC widespread by providing an implementation with no
843 <LI>freely available in source code under the <A href="#GPL">GNU
844 General Public License</A></LI>
845 <LI>running on a range of readily available hardware</LI>
846 <LI>not subject to US or other nations' <A href="#exlaw">export
848 <BR> Note that in order to avoid <EM>even the appearance</EM> of being
849 subject to those laws, the project cannot accept software
850 contributions -- <EM>not even one-line bug fixes</EM> -- from US
851 residents or citizens.</LI>
854 <LI>provide a high-quality IPSEC implementation for Linux
856 <LI>portable to all CPUs Linux supports: <A href="#CPUs">(current list)</A>
858 <LI>interoperable with other IPSEC implementations: <A href="interop.html">
859 (current list)</A></LI>
862 <LI>extend IPSEC to do <A href="#carpediem">opportunistic encryption</A>
865 <LI>any two systems can secure their communications without a
866 pre-arranged connection</LI>
867 <LI>secure connections can be the default, falling back to unencrypted
870 <LI><EM>both</EM> the partner is not set up to co-operate on securing
872 <LI><EM>and</EM> your policy allows insecure connections </LI>
875 <LI>a significant fraction of all Internet traffic is encrypted</LI>
879 <P> If we can get opportunistic encryption implemented and widely
880 deployed, then it becomes impossible for even huge well-funded agencies
881 to monitor the net. </P>
882 <P> See also our section on <A href="politics.html">history and politics</A>
883 of cryptography, which includes our project leader's <A href="#gilmore">
884 rationale</A> for starting the project.</P>
885 <H3><A name="staff">Project team</A></H3>
886 Two of the team are from the US and can therefore contribute no code:
888 <LI>John Gilmore: founder and policy-maker (<A href="http://www.toad.com/gnu/">
890 <LI>Hugh Daniel: project manager, Most Demented Tester, and
891 occasionally Pointy-Haired Boss </LI>
893 The rest of the team are Canadians, working in Canada. (<A href="#status">
896 <LI>Henry Spencer: technical lead, script programming </LI>
897 <LI>Hugh Redelmeier: <A href="#Pluto">Pluto daemon</A> programmer </LI>
898 <LI>Richard Guy Briggs: <A href="#KLIPS">KLIPS</A> programmer </LI>
899 <LI>Claudia Schmeing: technical support via the <A href="mail.html">
900 mailing lists</A></LI>
901 <LI>Sandy Harris: documentation </LI>
903 The project is funded by civil libertarians who consider our goals
904 worthwhile. The team are paid for this work.
905 <P> People outside this core team have made substantial contributions.
908 <LI>our <A href="../CREDITS">CREDITS</A> file </LI>
909 <LI>the <A href="#patch">patches and add-ons</A> section of our web
910 references file </LI>
911 <LI>lists below of user-written <A href="#howto">HowTos</A> and <A href="#applied">
912 other papers</A></LI>
914 Additional contributions are welcome. See the <A href="#contrib.faq">
916 <H3><A name="webdocs">Information on the web</A></H3>
918 <LI>current site, <A href="http://liberty.freeswan.org">freeswan.org</A></LI>
919 <LI>original project site at <A href="http://www.xs4all.nl/~freeswan">
923 <H3><A name="sites">Distribution sites</A></H3>
924 FreeS/WAN is available from a number of sites:
926 <LI>Primary site, in Holland:
928 <LI><A href="http://www.xs4all.nl/~freeswan">HTTP</A></LI>
929 <LI><A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">FTP</A></LI>
932 <LI><A href="http://www.flora.org/freeswan">Eastern Canada</A> (limited
934 <LI><A href="ftp://ludwig.doculink.com/pub/freeswan/">Eastern Canada</A>
935 (has older versions too)</LI>
936 <LI><A href="ftp://ntsc.notBSD.org/pub/crypto/freeswan/">Eastern Canada</A>
937 (has older versions too)</LI>
938 <LI><A href="ftp://ftp.kame.net/pub/freeswan/">Japan</A></LI>
939 <LI><A href="ftp://ftp.futuredynamics.com/freecrypto/FreeSWAN/">Hong
941 <LI><A href="ftp://ipsec.dk/pub/freeswan/">Denmark</A></LI>
942 <LI><A href="ftp://ftp.net.lut.ac.uk/freeswan">the UK</A></LI>
943 <LI><A href="http://storm.alert.sk/comp/mirrors/freeswan/">Slovak
945 <LI><A href="http://the.wiretapped.net/security/vpn-tunnelling/freeswan/">
947 <LI><A href="http://freeswan.technolust.cx/">technolust</A></LI>
948 <LI>Ivan Moore's <A href="http://snowcrash.tdyc.com/freeswan/">site</A></LI>
949 <LI>the <A href="http://www.cryptoarchive.net/">Crypto Archive</A> on
950 the <A href="http://www.securityportal.com/"> Security Portal</A> site </LI>
952 <H4><A name="munitions">The "munitions" archive of Linux crypto software</A>
954 There is also an archive of Linux crypto software called "munitions",
955 with its own mirrors in a number of countries. It includes FreeS/WAN,
956 though not always the latest version. Some of its sites are:
958 <LI><A href="http://munitions.vipul.net/">Germany</A></LI>
959 <LI><A href="http://munitions.iglu.cjb.net/">Italy</A></LI>
960 <LI><A href="http://munitions2.xs4all.nl/">Netherlands</A></LI>
962 <P> Any of those will have a list of other "munitions" mirrors. </P>
963 <H3><A name="archives">Archives of the project mailing list</A></H3>
964 Until quite recently, there was only one FreeS/WAN mailing list, and
967 <LI><A href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</A></LI>
968 <LI><A href="http://www.nexial.com">Holland</A></LI>
970 The two archives use completely different search engines. You might
972 <P> More recently we have expanded to five lists, each with its own
974 <P><A href="mail.html"> More information</A> on mailing lists.</P>
975 <H2><A name="products">Products containing FreeS/WAN</A></H2>
976 <P> Unfortunately the <A href="#exlaw">export laws</A> of some
977 countries restrict the distribution of strong cryptography. FreeS/WAN
978 is therefore not in the standard Linux kernel and not in all CD or web
980 <H3><A name="distwith">Full Linux distributions</A></H3>
981 <P>FreeS/WAN is included in various general-purpose Linux distributions
982 from countries (shown in brackets) with more sensible laws:</P>
984 <LI>European versions of <A href="http://www.suse.com/">SuSE Linux</A>
986 <LI><A href="http://www.conectiva.com">Conectiva</A> (Brazil)</LI>
987 <LI>the server edition of <A href="http://www.corel.com">Corel</A>
989 <LI>the <A href="http://www.pld.org.pl/">Polish(ed) Linux Distribution</A>
991 <LI><A href="http://www.trustix.net/">Trustix Secure Linux</A> (Norway) </LI>
993 <P> For distributions which do not include FreeS/WAN and are not Redhat
994 (which we develop and test on), there is additional information in our <A
995 href="#otherdist">compatibility</A> section.</P>
996 <P> We would appreciate hearing of other distributions using FreeS/WAN.</P>
997 <H3><A name="fw_dist">Firewall distributions</A></H3>
998 FreeS/WAN is also included in, or available for, more specialised
999 distributions intended for firewall and router applications:
1001 <LI><A href="http://www.gibraltar.at/">Gibraltar</A> is based on Debian
1002 GNU/Linux. It is bootable directly from CD-ROM, usable on a machine
1003 without hard disk. </LI>
1004 <LI>The <A href="http://www.linuxrouter.org/">Linux Router Project</A>
1005 produces a distribution that will boot from a single floppy. Charles
1006 Steinkuehler's LRP site provides <A href="http://lrp.steinkuehler.net/Packages/ipsec1.5.htm">
1007 FreeS/WAN packaged for LRP</A>. </LI>
1008 <LI><A href="http://www.astaro.com/products/index.html">Astaro Security
1009 Linux</A> includes FreeS/WAN. It has some web-based tools for managing
1010 the firewall that include FreeS/WAN configuration management.</LI>
1011 <LI><A href="http://www.linuxwall.de">Linuxwall</A></LI>
1013 <P> There are also several sets of scripts available for managing a
1014 firewall which is also acting as a FreeS/WAN IPSEC gateway. See this <A href="#examplefw">
1016 <P> We would appreciate hearing of other specialised distributions
1017 using FreeS/WAN, or other script sets.</P>
1018 <H3><A name="turnkey">Firewall and VPN products</A></H3>
1019 <P>Several vendors use FreeS/WAN as the IPSEC component of a turnkey
1020 firewall or VPN product:</P>
1022 <LI>The <A href="http://www.lasat.com">LASAT SafePipe[tm]</A> series.
1023 is an IPSEC box based on an embedded MIPS running Linux with FreeS/WAN
1024 and a web-config front end. This company also host our freeswan.org
1026 <LI><A href="www.rebel.com">Rebel.com</A>, makers of the Netwinder ARM
1027 Linux machine, have a new (mid-2000) division <A href="http://www.rebel.com/solutions/smb/rn-what.html">
1028 Rebel Networks</A> whose product uses FreeS/WAN.</LI>
1029 <LI><A href="http://www.linuxmagic.com/vpn/index.html">Linux Magic</A>
1030 offer a VPN/Firewall product using FreeS/WAN</LI>
1031 <LI>The Software Group's <A href="http://www.wanware.com/sentinet/">
1032 Sentinet</A> product uses FreeS/WAN</LI>
1033 <LI><A href="http://www.merilus.com">Merilus</A> use FreeS/WAN in their
1034 Gateway Guardian firewall product and in their <A href="http://www.merilus.com/firecard/index.shtml">
1035 Firecard</A> product, a Linux firewall on a PCI card. </LI>
1036 <LI><A href="http://www.kyzo.com/">Kyzo</A> have a "pizza box" product
1037 line with various types of server, all running from flash. One of them
1038 is an IPSEC/PPTP VPN server. </LI>
1039 <LI><A href="http://www.linuxcare.com">Linuxcare</A> have "bootable
1040 business card" usable as a recovery disk for broken Linux systems. </LI>
1042 <P>We would appreciate hearing of other products using FreeS/WAN.</P>
1043 <H2><A name="docs">Documentation</A></H2>
1044 <H3><A name="docformats">This HowTo, in multiple formats</A></H3>
1045 <P> FreeS/WAN documentation up to version 1.5 was available only in
1046 HTML. Now we ship two formats: </P>
1048 <LI>as HTML, one file for each doc section plus a global <A href="toc.html">
1049 Table of Contents</A></LI>
1050 <LI><A href="HowTo.html">one big HTML file</A> for easy searching</LI>
1052 and provide a Makefile to generate other formats if required:
1054 <LI><A href="HowTo.pdf">PDF</A></LI>
1055 <LI><A href="HowTo.ps">Postscript</A></LI>
1056 <LI><A href="HowTo.txt">ASCII text</A></LI>
1058 <P> The Makefile assumes the htmldoc tool is available. You can
1059 download it from <A href="http://www.easysw.com">Easy Software</A>. You
1060 may need to get source code and change some of the limits in <NOBR><VAR>
1061 #define MAX_<whatever></VAR></NOBR> statements near the end of its <VAR>
1062 config.h.in</VAR> file. Otherwise it core dumps when those limits are
1063 exceeded on large files such as our glossary.html.</P>
1064 <P> All formats should be available at the following websites: </P>
1066 <LI><A href="http://www.freeswan.org/doc.html">FreeS/WAN project</A></LI>
1067 <LI><A href="http://www.linuxdoc.org">Linux Documentation Project</A></LI>
1069 <P> The distribution tarball has only the two HTML formats.</P>
1070 <P><STRONG> Note:</STRONG> If you need the latest doc version, for
1071 example to see if anyone has managed to set up interoperation between
1072 FreeS/WAN and whatever, then you should download the current snapshot.
1073 What is on the web is documentation as of the last release. Snapshots
1074 have all changes I've checked in to date. </P>
1075 <H3><A name="text">Other documents in the distribution</A></H3>
1076 <P>Text files in the main distribution directory are README, INSTALL,
1077 CREDITS, CHANGES, BUGS and COPYING.</P>
1078 <P> FreeS/WAN commands and library routines are documented in standard
1079 Unix manual pages, accessible via the <VAR>man(1)</VAR> command. We
1080 also provide them in HTML, accessible from this <A href="manpages.html">
1081 index</A>. In the event of disagreement between this HowTo and the man
1082 pages, the man pages are more likely correct since they are written by
1083 the implementers. Please report any such inconsistency on the <A href="mail.html">
1084 mailing list</A>.</P>
1085 <P>The gmp (GNU multi-precision arithmetic) and Libdes (encryption)
1086 libraries which we use each have their own documentation. You can find
1087 it in those library directories.</P>
1088 <H3><A name="howto">User-written HowTo information</A></H3>
1089 <P> Various user-written HowTo documents are available. The ones
1090 covering FreeS/WAN-to-FreeS/WAN connections are:</P>
1092 <LI>Jean-Francois Nadeau's <A href="http://jixen.tripod.com/">practical
1093 configurations</A> document</LI>
1094 <LI>Jens Zerbst's HowTo on <A href="http://dynipsec.tripod.com/">Using
1095 FreeS/WAN with dynamic IP addresses</A>. </LI>
1096 <LI>an entry in Kurt Seifried's <A href="http://www.securityportal.com/lskb/kben00000013.html">
1097 Linux Security Knowledge Base</A>. </LI>
1098 <LI>a section of David Ranch's <A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
1099 Trinity OS Guide</A></LI>
1100 <LI>a section in David Bander's book <A href="#bander">Linux Security
1103 <P> User-wriiten HowTo material may be <STRONG>especially helpful if
1104 you need to interoperate with another IPSEC implementation</STRONG>. We
1105 have neither the equipment nor the manpower to test such
1106 configurations. Users seem to be doing an admirable job of filling the
1109 <LI>list of user-written <A href="#otherpub">interoperation HowTos</A>
1110 in our interop document </LI>
1112 <P> Check what version of FreeS/WAN user-written documents cover. The
1113 software is under active development and the current version may be
1114 significantly different from what an older document describes.</P>
1115 <H3><A name="applied">Papers on FreeS/WAN</A></H3>
1116 <P> Two design documents show current team thinking on new
1119 <LI><A href="opportunism.spec">Opportunistic Encryption</A> by
1120 technical lead Henry Spencer and Pluto programmer Hugh Redelemeier </LI>
1121 <LI><A href="klips2.spec">KLIPS II Design</A> by kernel programmer
1122 Richard Guy Briggs </LI>
1124 Both documents are works in progress and frequently revised. The most
1125 recent versions can be found either in FreeS/WAN snapshots or on the <A href="mail.html">
1126 design mailing list</A>. Comments should go to that list.
1127 <P> A number of papers giving further background on FreeS/WAN, or
1128 exploring its future or its applications, are also available:</P>
1130 <LI>Both Henry and Richard gave talks on FreeS/WAN at the 2000 <A href="http://www.linuxsymposium.org">
1131 Ottawa Linux Symposium</A>.
1133 <LI>Richard's <A href="http://www.conscoop.ottawa.on.ca/rgb/freeswan/ols2k/">
1135 <LI>Henry's paper</LI>
1136 <LI>MP3 audio of their talks is available from the <A href="http://www.linuxsymposium.org/">
1137 conference page</A></LI>
1140 <LI><CITE>Moat: A Virtual Private Network Appliances and Services
1141 Platform</CITE> is a paper about large-scale (a few 100 links) use of
1142 FreeS/WAN in a production application at AT&T research. It is
1143 available in Postscript or PDF from co-author Steve Bellovin's <A href="http://www.research.att.com/~smb/papers/index.html">
1144 papers list page</A>.</LI>
1145 <LI>One of the Moat co-authors, John Denker, has also written
1147 <LI>a <A href="http://www.quintillion.com/fdis/moat/ipsec+routing/">
1148 proposal</A> for how future versions of FreeS/WAN might interact with
1149 routing protocols</LI>
1150 <LI>a <A href="http://www.quintillion.com/fdis/moat/wishlist.html">
1151 wishlist</A> of possible new features</LI>
1154 <LI>Bart Trojanowski's web page has a draft design for <A href="http://www.jukie.net/~bart/linux-ipsec/">
1155 hardware acceleration</A> of FreeS/WAN </LI>
1156 <LI>Feczak Szabolcs' <A href="http://feczo.koli.kando.hu/vpn/">thesis</A>
1157 , in Hungarian </LI>
1159 <P> Several of these provoked interesting discussions on the mailing
1160 lists, worth searching for in the <A href="#archive">archives</A>. </P>
1161 <H3><A name="test">Test results</A></H3>
1163 <LI><A href="http://tsc.llwybr.org.uk/public/reports/SWANTIME/">Speed
1164 test results</A> from a Welsh university.</LI>
1166 <P> Interoperability test results are in our <A href="#result">web links</A>
1168 <H2><A name="licensing">License and copyright information</A></H2>
1169 All code and documentation written for this project is distributed
1170 under either the GNU General Public License (<A href="#GPL">GPL</A>) or
1171 the GNU Library General Public License. For details see the COPYING
1172 file in the distribution.
1173 <P>Not all code in the distribution is ours, however. See the CREDITS
1174 file for details. In particular, note that the <A href="#LIBDES">Libdes</A>
1175 library has its own license.</P>
1176 <H2><A NAME="1_6">Links to other sections</A></H2>
1177 <P>For more detailed background information, see:</P>
1179 <LI><A href="politics.html">history and politics</A> of cryptography</LI>
1180 <LI><A href="ipsec.html">IPSEC protocols</A></LI>
1182 <P> To begin working with FreeS/WAN, go to: </P>
1184 <LI><A href="install.html">installation</A> if you need to install
1186 <LI><A href="config.html">setup</A> if your distribution came with
1187 FreeS/WAN so you just need to configure your IPSEC links</LI>
1190 <H1><A name="install">Installing FreeS/WAN</A></H1>
1191 <H2><A name="who.install">Who needs to perform an installation?</A></H2>
1192 <P> Some Linux distributions, <A href="#distwith">listed in the
1193 introduction</A>, ship with FreeS/WAN included. If you are using one of
1194 them, you need not perform a FreeS/WAN installation. That should all be
1195 done for you already. All you have to do is:</P>
1197 <LI>include FreeS/WAN in your installation choices, or add it to your
1198 configuration later</LI>
1199 <LI>if you install kernel source, be sure to use a version which
1200 includes the FreeS/WAN patches. This should be available from your CDs
1201 or from the web site for your distribution.</LI>
1203 <P>Users of such distributions can skip ahead to our section on <A href="config.html">
1204 setting up</A> FreeS/WAN.</P>
1205 <P> Unfortunately, due to <A href="#exlaw">export laws</A> restricting
1206 distribution of strong cryptography, not all distributions include
1207 FreeS/WAN. Moreover, the standard kernel does not include the kernel
1208 parts of FreeS/WAN. Many people will need to install FreeS/WAN,
1209 including patching and rebuilding their kernel.</P>
1210 <H2><A name="re-install">Re-installs</A></H2>
1211 If this is the first FreeS/WAN install on this machine, skip this
1213 <P> The scripts are designed so that a re-install -- to upgrade to a
1214 later FreeS/WAN version or to a later kernel version -- can be done in
1215 exactly the same way as an original install. </P>
1216 <P> The scripts know enough, for example, not to apply the same kernel
1217 patch twice and not to overwrite your <VAR>ipsec.conf</VAR> or <VAR>
1218 ipsec.secrets</VAR> files. However, they will overwrite the _updown
1219 script. If you have modified that, save your version under another name
1220 before doing the install. </P>
1221 <P> Also, they may not always work exactly as designed. Check the <A href="../BUGS">
1222 BUGS</A> file for any caveats in the current version. </P>
1224 <DT>to install a new version of FreeS/WAN, with your current kernel</DT>
1225 <DD> Download and untar the new FreeS/WAN. Since kernel source has
1226 already been installed and configured, you can skip a few steps in the
1227 procedure below. Go to <A href="#building">Building FreeS/WAN</A>, and
1228 follow normal FreeS/WAN procedures from there. </DD>
1229 <DT>to install a new kernel, on a machine which already has FreeS/WAN
1231 <DD> Download and untar the new kernel source. Since this kernel is not
1232 yet configured, that is the next thing to do.Go to <A href="#kconfig">
1233 Kernel configuration</A>, and follow normal FreeS/WAN procedures from
1235 <DT>to upgrade both kernel and FreeS/WAN</DT>
1236 <DD> You need both new kernel source and new FreeS/WAN source. Follow
1237 the full FreeS/WAN install procedure. </DD>
1239 <H2><A name="before">Before starting the install</A></H2>
1240 <P>Configure, compile, install, and test a Linux kernel, without
1242 <P> If you have not done this before, you will need to read the <A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">
1243 Kernel HowTo</A>.</P>
1244 <H3><A name="choosek">Choosing a kernel</A></H3>
1245 <H4><A name="2.2">2.2.19 for many users</A></H4>
1246 <P> Many users can continue to run kernels from the 2.2 series of Linux
1247 production <A href="#kernel">kernels</A>. </P>
1248 <P> At time of writing (June 2001), the latest version is 2.2.19. If
1249 you are going to use a 2.2 kernel, we <STRONG>strongly recommend 2.2.19</STRONG>
1252 <LI>It has a number of small security fixes not found in earlier
1254 <LI>There have been changes in some kernel file formats that make it
1255 difficult to compile a current FreeS/WAN with earlier kernels. </LI>
1257 If you really need to use an older 2.2.x kernel for some reason, see
1258 the note in the FreeS/WAN 1.91 release <A href="../CHANGES">CHANGES</A>
1259 file for a workaround for the compile difficulty, and the <A href="mail.html">
1260 mailing list archives</A> for more details if needed.
1261 <H4><A name="2.4">2.4.x is possible</A></H4>
1262 The new 2.4 series of kernels began in January 2001 and are currently
1263 (early June) at 2.4.5. FreeS/WAN is known to work on 2.4.5.
1264 <P> 2.4 has new firewalling code called <A href="http://netfilter.kernelnotes.org/unreliable-guides/index.html">
1265 netfilter</A>. This may provide good reasons to move to 2.4, especially
1266 on for gateway machines. </P>
1267 <H4><A name="2.0">2.0.x should still work</A></H4>
1268 <P> In the older 2.0.x kernel series, we no longer support versions
1269 earlier than 2.0.38. 2.0.38 has fixes for a number of small
1270 security-related glitches, worth having on a security gateway machine.
1271 FreeS/WAN has been tested on 2.0.39, and does work there.</P>
1272 <P> Recent versions of FreeS/WAN are not heavily tested on 2.0 kernels.
1273 Most of both the development team and the user community are on 2.2, or
1274 even 2.4, by now.</P>
1275 <P> We are likely to drop 2.0 support entirely if some problem crops up
1276 that would mean retaining it required significant work from our team. </P>
1277 <H4><A name="devkernel">Development kernels</A></H4>
1278 Development kernels are a separate series, work-in-progress versions
1279 for use by kernel developers. By convention, production kernels have an
1280 even second digit in the version number (2.0, 2.2, 2.4) and development
1281 kernels have an odd digit there (2.1, 2.3, 2.5).
1282 <P> At time of writing, no more 2.3 kernels are being produced and the
1283 2.5 series has not been started yet, so just now development kernels
1284 are not an issue. No doubt a 2.5 series will be started in the next few
1286 <P><STRONG> Development kernels are not intended for production use</STRONG>
1287 . They change often and include new code which has not yet been
1288 thoroughly tested. <STRONG>This regularly breaks things, including
1289 FreeS/WAN</STRONG>. The FreeS/WAN team does not have the resources to
1290 chase the moving target; our priority is developing FreeS/WAN on stable
1291 kernels. If you encounter a problem on a development kernel, please
1292 solve it (you are a developer, aren't you?) and send us a patch. Of
1293 course, we will happily discuss problems and solutions on the <A href="mail.html">
1294 mailing list</A>, but we are unlikely to do much work on actually
1295 implementing a solution. </P>
1296 <P> Fortunately we have a user who regularly fixes problems with
1297 FreeS/WAN on development kernels (merci, Marc), and we do fix some
1298 ourselves. FreeS/WAN often works just fine on a development kernel;
1299 it's just that there's no guarantee. </P>
1300 <P> If you are going to test FreeS/WAN with a development kernel, we
1301 recommend you <STRONG>use our latest snapshot</STRONG>. This is the
1302 FreeS/WAN version most likely to have the patches required to work on a
1303 recent development kernel. The released version of FreeS/WAN is likely
1304 to be out of date for your purposes.</P>
1305 <H3><A name="getkernel">Things you must have installed</A></H3>
1306 <P> If you have a CD distribution of Linux, it should include
1307 everything you need. </P>
1308 <H4><A " name="tool.lib">Tools and libraries</A></H4>
1309 Use your distribution's tools to load:
1313 <LI>a GNU C compiler (gcc or egcs)</LI>
1314 <LI>assembler and linker for your architecture (the bin86 package on
1316 <LI>miscellaneous development tools such as make(1) and patch(1)</LI>
1319 <LI>libraries, both headers and object modules
1321 <LI>standard compiler libraries such as glibc</LI>
1322 <LI>the GMP (<STRONG>G</STRONG>NU <STRONG>M</STRONG>ulti-<STRONG>P</STRONG>
1323 recision) library, required for Pluto's public key calculations. </LI>
1324 <LI>ncurses library if you want to use menuconfig (recommended)</LI>
1328 <P> There are some <STRONG>common slips</STRONG> worth avoiding here: </P>
1330 <LI>not installing the GMP library. Pluto will not compile without it.
1331 See the FreeS/WAN FAQ for <A href="#gmp.h_missing">more detail</A> if
1333 <LI>not installing patch(1). Our scripts need it to apply our patches
1334 to the kernel. </LI>
1336 <H4><A name="kernel.">Kernel source code</A></H4>
1337 You need the source code for the kernel because you must patch and
1338 re-compile it to install FreeS/WAN. There are several places you can
1341 <LI>off your distribution CDs </LI>
1342 <LI>from your ditribution vendor's website </LI>
1343 <LI>from kernel.org </LI>
1345 <H5><A name="kernel.cd">Kernel from CD</A></H5>
1346 You can install the kernel from your distribution CD. It may be in two
1349 <LI>kernel source</LI>
1350 <LI>kernel headers</LI>
1352 However, if your CD is not recent, it may have an older kernel, in
1353 which case we suggest getting more recent kernel source from the net.
1354 <H5>Vendor kernels</H5>
1355 <P> All the major distribution vendors provide kernel source. See for
1358 <LI>Red Hat's list of <A href="http://www.redhat.com/mirrors.html">
1359 mirror sites</A></LI>
1360 <LI>SuSE's <A href="http://www.suse.com/us/support/download/index.html">
1361 download page</A></LI>
1363 <P> Using a kernel from your distribution vendor may save you some
1364 annoyance later.</P>
1365 <P> Different distributions put the kernel in different places
1366 (/vmlinuz, /boot/vmlinuz, /boot/vmlinuz-2.2.15 ...) and set lilo (the <STRONG>
1367 Li</STRONG>nux <STRONG>lo</STRONG>ader) up differently. With a kernel
1368 from your distribution vendor, everything should work right. With
1369 other combinations, a newly compiled kernel may be installed in one
1370 place while lilo is looking in another. You can of course adjust the
1371 kernel Makefile and/or /etc/lilo.conf to solve this problem, but we
1372 suggest just avoiding it.</P>
1373 <P> Also, distributions vendors may include patches or drivers which
1374 are not part of the standard kernel. If you install a standard kernel,
1375 you must either do without those features or download those patches
1376 and add them yourself.</P>
1377 <H5>Kernels from kernel.org</H5>
1378 For kernels direct from Linus, without any distribution vendor's
1379 modifications, see the <A href="http://www.kernel.org/mirrors/">
1380 kernel.org</A> mirror list, or go directly to <NOBR><VAR>
1381 ftp.<country>.kernel.org</VAR>,</NOBR> with the appropriate two-letter
1382 country code inserted.
1383 <H4>Once you've found a kernel</H4>
1384 <P> Once you have found suitable kernel source, choose a mirror that is
1385 close to you and bookmark it.</P>
1386 <P> Kernel source normally resides in <VAR>/usr/src/linux</VAR>,
1387 whether you load it from a distribution CD or download a tar file into <VAR>
1388 /usr/src</VAR> and untar it there. Unless you both have unusual
1389 requirements and know exactly what you're doing, we recommend you put
1391 <H3><A NAME="2_3_3">Getting FreeS/WAN</A></H3>
1392 <P> You can download FreeS/WAN from our <A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan/">
1393 primary site</A> or one of our <A href="#sites">mirrors</A>. </P>
1394 <P> Put the tarfile under <VAR>/usr/src</VAR> and untar it there. The
1395 command to use is: </P>
1397 <LI>tar -xzf freeswan*.gz </LI>
1399 <P> This will give you a directory <VAR>/usr/src/freeswan<version></VAR>
1401 <P>Note that <STRONG>these methods don't work:</STRONG></P>
1403 <LI>putting freeswan under <VAR>/usr/src/linux</VAR>. The links become
1405 <LI>untarring in one place, then using <VAR>cp -R</VAR> to move it
1406 where you want it. Some necessary symbolic links are not copied.</LI>
1408 <H3><A name="kconfig">Kernel configuration</A></H3>
1409 <P> The gateway kernel must be configured before FreeS/WAN is added
1410 because some of our utilities rely on the results of configuration. </P>
1411 <P><STRONG> Note for Redhat 7.1 users</STRONG>: If you are using the
1412 Redhat-supplied kernel, then you <STRONG>must do a <NOBR><VAR>make
1413 mrproper</VAR></NOBR></STRONG> command before starting the kernel
1414 configuration. This prevents some unpleasant interactions between
1415 Redhat's config and our patches. </P>
1416 <P> On some distributions, you can get the configuration files for the
1417 vendor's standard kernel(s) off the CD, and use that. This allows you
1418 to skip this step; you need not configure the kernel if the vendor has <EM>
1419 and you have the vendor's config file installed</EM>. Here is a mailing
1420 list message describing the procedure for Redhat: </P>
1422 Subject: Re: [Users] Do I need to recompile kernel 2.2.17-14?
1423 Date: Wed, 6 Jun 2001 08:38:38 -0500
1424 From: "Corey J. Steele" <csteele@mtron.com>
1426 if you install the corresponding kernel-source-*.rpm, you can actually find
1427 the config file used to build that kernel in /usr/src/linux/Configs, just
1428 copy the one you want to use (based solely on architecture) to
1429 /usr/src/linux/.config, and proceed! It should work.
1431 If you have ever configured the kernel yourself on this machine, you
1432 can also skip this step.
1433 <P> If the kernel has not been configured, do that now. This is done by
1434 giving one of the following commands in <VAR>/usr/src/linux</VAR>:</P>
1436 <DT>make config</DT>
1437 <DD>command-line interface</DD>
1438 <DT>make menuconfig</DT>
1439 <DD>text menus (requires curses(3) libraries)</DD>
1440 <DT>make xconfig</DT>
1441 <DD>using the X window system (requires X, not recommended for
1444 <P> Any of these wiil do the job. If you have no established
1445 preference, we suggest trying <VAR>menuconfig</VAR>.</P>
1446 <P> For more information on configuring your kernel, see our <A href="kernel.html">
1447 section</A> on that topic.</P>
1448 <H3><A name="inst-test">Install and test a kernel before adding
1450 <P> You should compile, install and test the kernels as you have
1451 configured them, so that you have a known stable starting point. The
1452 series of commands involved is usually something like:</P>
1454 <DT>make menuconfig</DT>
1455 <DD>choose kernel options, set up a kernel for your machine</DD>
1457 <DD>find <STRONG>dep</STRONG>endencies between files</DD>
1458 <DT>make bzImage</DT>
1459 <DD>build a loadable kernel image, compressed with bzip(1)</DD>
1460 <DT>make install</DT>
1462 <DT>make modules</DT>
1463 <DD>build modules which can be added to a running kernel</DD>
1464 <DT>make modules_install</DT>
1465 <DD>install them</DD>
1467 <DD>ensure that the boot loader sees your changes</DD>
1469 <P> Doing this first means that if there is a problem after you add
1470 FreeS/WAN, tracking it down is <EM>much</EM> simpler.</P>
1471 <P> If you need advice on this process, or general Linux background
1472 information, try our <A href="#linux.link">Linux web references</A>.
1473 The most directly relevant document is the <A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">
1474 Kernel HowTo</A>.</P>
1475 <H2><A name="building">Building and installing the software</A></H2>
1476 <P> There are several ways to build and install the software. All
1477 require that you have kernel source, correctly configured for your
1478 machine, as a starting point. If you don't have that yet, see the <A href="#before">
1479 previous section</A></P>
1480 <P> Whatever method you choose, it will do all of the following: </P>
1482 <LI>add FreeS/WAN code to the kernel
1484 <LI>insert patches into standard kernel code to provide an interface</LI>
1485 <LI>add additional files which use that interface</LI>
1488 <LI>re-configure and re-compile the kernel to activate that code</LI>
1489 <LI>install the new kernel</LI>
1490 <LI>build the non-kernel FreeS/WAN programs and install them
1492 <LI><A href="manpage.d/ipsec.8.html">ipsec(8)</A> in <VAR>
1493 /usr/local/sbin</VAR></LI>
1494 <LI>others in <VAR>/usr/local/lib/ipsec</VAR></LI>
1497 <LI>install FreeS/WAN <A href="manpages.html">man pages</A> under <VAR>
1498 /usr/local/man</VAR></LI>
1499 <LI>create the configuration file <A href="manpage.d/ipsec.conf.5.html">
1500 ipsec.conf(5)</A>. Editing this file to configure your IPSEC gateway
1501 is described in the <A href="config.html">next section</A>.</LI>
1502 <LI>create an RSA public/private key pair for your system and place it
1503 in <A href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</A></LI>
1504 <LI>install the initialisation script <VAR>/etc/rc.d/init.d/ipsec</VAR></LI>
1505 <LI>create links to that script from the <VAR>/etc/rc.d/rc[0-6].d</VAR>
1506 directories so that each run level starts or stops IPSEC. (If the
1507 previous sentence makes no sense to you, try the <A href="http://www.linuxdoc.org/HOWTO/From-PowerUp-To-Bash-Prompt-HOWTO.html">
1508 From Power-up to Bash Prompt HowTo</A>).</LI>
1510 <P> You can do the whole install with two commands (recommended in most
1511 cases) or get into as much of the detail as you like.</P>
1512 <H3><A name="allbut">Everything but kernel installation</A></H3>
1513 <P> To do everything except install the new kernel, <VAR>cd</VAR> into
1514 the freeswan directory and become root. Give <STRONG>any one</STRONG>
1515 of the following commands:</P>
1518 <DD>Uses FreeS/WAN's default settings for some kernel configuration
1519 options. Leaves all other options unchanged from your last kernel
1522 <DD>Invokes <VAR>config</VAR> so you can configure the kernel from the
1524 <DT>make menugo</DT>
1525 <DD>Invokes <VAR>menuconfig</VAR> so you can configure the kernel with
1526 text-mode menus.</DD>
1528 <DD>Invokes <VAR>xconfig</VAR> so you can configure the kernel in an X
1531 <P> You must <STRONG>save the new configuration even if you make no
1532 changes</STRONG>. This ensures that the FreeS/WAN changes are actually
1533 seen by the system.</P>
1534 <P> Our scripts save the output of <VAR>make</VAR> commands they call
1535 in files with names like <VAR>out.kbuild</VAR> or <VAR>out.kinstall</VAR>
1536 . The last command of each script checks the appropriate <VAR>out.*</VAR>
1537 file for error messages.</P>
1539 <LI>If the last output you see is <VAR>make</VAR> saying it is calling
1540 our <VAR> errcheck</VAR> script, then all is well. There were no errors.</LI>
1541 <LI>If not, an error has occurred. Check the appropriate <VAR>out.*</VAR>
1542 file for details.</LI>
1544 <P> For the above commands, the error files are <VAR>out.kpatch</VAR>
1545 and <VAR>out.kbuild</VAR>. </P>
1546 <P> These scripts automatically build an <A href="#RSA">RSA</A>
1547 authentication key pair (a public key and the matching private key)
1548 for you, and put the result in <VAR>/etc/ipsec.secrets</VAR>. For
1549 information on using RSA authentication, see our <A href="config.html">
1550 configuration section</A>. Here, we need only note that generating the
1551 key uses random(4) quite heavily and if random(4) runs out of
1552 randomness, <STRONG>it will block until it has enough input</STRONG>.
1553 You may need to provide input by moving the mouse around a lot, or
1554 going to another window and typing random characters, or using some
1555 command such as <VAR>du -s /usr</VAR> to generate disk activity.</P>
1556 <H3><A name="newk">Installing the new kernel</A></H3>
1557 <P>To install the kernel the easy way, just give this command in the
1558 FreeS/WAN directory:</P>
1560 <DT>make kinstall</DT>
1561 <DD>Installs the new kernel and, if required, the modules to go with
1562 it. Errors, if any, are reported in <VAR>out.kinstall</VAR></DD>
1564 <P> Using <VAR>make kinstall</VAR> from the FreeS/WAN directory is
1565 equivalent to giving the following sequence of commands in <VAR>
1566 /usr/src/linux</VAR>:</P>
1569 <LI>make install</LI>
1570 <LI>make modules</LI>
1571 <LI>make modules_install</LI>
1573 <P>If you prefer that sequence, use it instead.</P>
1574 <P> If you have some unusual setup such that the above sequence of
1575 commands won't work on your system, then our <VAR>make kinstall</VAR>
1576 will not work either. Use whatever method does work on your system.
1577 See our <A href="impl.notes">implementation notes</A> file for
1578 additional information that may help in such situations.</P>
1580 <H3><A NAME="2_4_3">Make sure Lilo knows about the new kernel</A></H3>
1581 <P> Check your lilo.conf(5) file to ensure it points to the right
1582 kernel, then run lilo(8) to read lilo.conf(5) and set up the bootloader.</P>
1583 <H2><A name="testinstall">Testing to see if install succeeded</A></H2>
1584 <P> To check that you have a sucessful install, you can reboot and
1585 check (by watching messages during boot or by looking at them later
1586 with dmesg(8)) that:</P>
1588 <LI>the kernel reports the right version. If not, you are likely still
1589 running your old kernel. Check your lilo.conf(5) file and the
1590 installation directory (defined in the kernel make file, often /boot
1591 but the default is /), then rerun lilo(8).</LI>
1592 <LI>KLIPS initialisation messages appear</LI>
1593 <LI>Pluto reports that it is starting</LI>
1595 <P>You can also try the commands:</P>
1597 <LI><VAR>ipsec --version</VAR>, to test whether /usr/local/bin is in
1598 your path so you can use IPSEC administration commands</LI>
1599 <LI><VAR>ipsec whack --status</VAR>, using <A href="manpage.d#ipsec_whack.8.html">
1600 ipsec_whack(8)</A> to ask Pluto for status information</LI>
1602 <P> Of course any status information at this point should be
1603 uninteresting since you have not yet configured connections.</P>
1604 <H2><A NAME="2_6">Where to go from here</A></H2>
1605 <P>See the following section for information on <A href="config.html">
1606 configuring connections</A>.</P>
1607 <P>Alternately, you might want to look at background material on the <A href="ipsec.html">
1608 protocols used</A> before trying configuration.</P>
1610 <H1><A name="setup">Configuration</A></H1>
1611 <P>This section describes setting up and testing Linux FreeS/WAN.</P>
1612 <P>Before attempting this, you should:</P>
1614 <LI>look at our <A href="intro.html">introduction</A> section. We
1615 assume here that you understand concepts and terms described there.</LI>
1616 <LI>ensure that FreeS/WAN is installed on your system. See these links:
1618 <LI><A href="#testinstall">testing</A> whether FreeS/WAN is installed</LI>
1619 <LI>performing an <A href="install.html">installation</A></LI>
1623 <P> You also need to set up and test IP networking on all the machines
1624 you plan to install FreeS/WAN on or to use in testing, before trying to
1625 set up FreeS/WAN. This is discussed in more detail after the
1626 description of our example networks.</P>
1627 <H2><A name="example">Our example networks</A></H2>
1628 <P> For our examples, we assume that there are only three networks
1629 involved, two that want to talk to each other plus the Internet in the
1630 middle. The idea is to build an encrypted tunnel across the Internet so
1631 the two networks can talk securely. Once you have this working between
1632 two network gateways, extending it to three or more is straightforward.</P>
1633 <P> In our examples, we'll call the two gateways East and West. We'll
1634 have only one client machine on each net: Sunrise in the East and
1635 Sunset in the West.</P>
1638 Sunset==========West------------------East=========Sunrise
1639 local net untrusted net local net
1641 <P> Our goal here is to tell you how to set up the two gateways, East
1642 and West. We assume your goal is to ensure that East and West encrypt
1643 all traffic between them, or at least all that your security policies
1644 require them to encrypt.</P>
1645 <P> Of course one does not always have a security gateway separate from
1646 the client machine. Especially for road warriors, a network that looks
1647 like this is common:</P>
1649 telecommuter's PC or
1650 corporate LAN traveller's laptop
1651 Sunset==========West------------------East
1652 local net untrusted net
1654 <P>and this is possible:</P>
1656 West------------------East
1659 <P> In our configuration files, and in this discussion, we treat the
1660 two simpler setups as degenerate cases of the network-to-network link.
1661 For all the diagrams above, for example, we speak of "the subnet behind
1662 East". In two of the diagrams, of course, that "subnet" is just the
1664 <P> This may take some getting used to, but we hope it is less
1665 confusing than continually having to say things like "the subnet behind
1666 East (or the East machine itself if there is no client subnet)".</P>
1667 <H2><A name="testnet">Configuration for a testbed network</A></H2>
1668 <P>Many users just want to get IPSEC installed on a few machines. They
1669 can skip this section.</P>
1670 <P>Others may want to build a testbed network, for any of a number of
1671 reasons. For them, we have some suggestions.</P>
1672 <P> The ideal test setup for IPSEC is something like:</P>
1674 Sunset==========West-----eth0 eth1-----East=========Sunrise
1675 local net test machine local net
1677 <P> The test machine routes packets between the two gateways. This
1678 makes things more complicated than if you just connected the two
1679 gateway machines directly to each other, but it also makes your test
1680 setup much more like the environment you actually use IPSEC in. Those
1681 environments nearly always involve routing, and quite a few apparent
1682 IPSEC failures turn out to be problems with routing or with firewalls
1683 dropping packets. This approach lets you deal with those problems on
1684 your test setup.</P>
1685 <P> Also, the test machine is in the ideal position to run diagnostic
1686 software (such as tcpdump(8)) for checking IPSEC packets. Such software
1687 is likely to misbehave if run on the gateways themselves. It is
1688 designed to look into a normal IP stack and may become confused if you
1689 ask it to display data from a stack which has IPSEC in play.</P>
1690 <P> For more detailed testbed information see these <A href="mail.html">
1691 mailing list</A> messages: </P>
1693 <LI>a user's detailed <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00571.html">
1694 setup diary</A> for his testbed network </LI>
1695 <LI>a FreeS/WAN team member's <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00425.html">
1696 notes</A> from testing at an IPSEC interop "bakeoff" </LI>
1698 <H2><A name="setupnet">Set up and test networking</A></H2>
1699 <P> Before trying to get FreeS/WAN working, you should configure and
1700 test IP networking on both gateways and on at least one client machine
1701 behind each of them. <STRONG>IPSEC cannot work without a working IP
1702 network beneath it.</STRONG> Many reported "FreeS/WAN problems" turn
1703 out to actually be problems with routing or firewalling. If any actual
1704 IPSEC problems turn up, you often cannot even recognise them (much less
1705 debug them) unless the underlying network is right.</P>
1706 <P>If you need advice on this, your best sources are likely:</P>
1708 <LI>the <A href="http://www.linuxdoc.org/HOWTO/Net-HOWTO/index.html">
1709 Networking Howto</A></LI>
1710 <LI>the <A href="http://www.linuxdoc.org/LDP/nag2/index.html">Network
1711 Administrator's Guide</A>.</LI>
1712 <LI>the <A href="http://netfilter.kernelnotes.org/unreliable-guides/networking-concepts-HOWTO/index.html">
1713 Linux Networking-concepts HOWTO</A> from Rusty Russell, author of most
1714 of the Linux firewalling code</LI>
1716 <P> See also our <A href="biblio.html">bibliography</A>. </P>
1717 <P>Here is our network diagram again:</P>
1719 Sunset==========West------------------East=========Sunrise
1720 local net untrusted net local net
1722 <P> The client machines, Sunrise and Sunset in our example, may have
1723 assigned <A href="#routable">routable</A> IP addresses, or they may be
1724 using private <A href="#non-routable">non-routable</A> addresses (as
1725 defined in RFC 1918) with the gateways doing <A href="#masq">IP
1726 masquerade</A>. It doesn't matter which, as long as whatever it is
1727 works correctly.</P>
1728 <P>Note, however, that the two subnets must have distinct addresses.
1729 You cannot have them both masqueraded to the same range of RFC 1918
1732 <LI>If Sunrise and Sunset have routable IP addresses, test that they
1733 can ping each other.</LI>
1734 <LI>If IP masquerading is in use, test as far as you can. For example,
1735 if Sunset is masqueraded behind West then Sunrise cannot ping Sunset
1736 but should be able to ping West. Whether Sunset can ping Sunrise,
1737 assuming Sunrise is not masqueraded, would depend on whether West's
1738 rules let ICMP packets through. If not, you should adjust those rules.</LI>
1740 <P>In any case, it is not enough to just test that East and West can
1742 <H3><A name="forward">Enabling packet forwarding</A></H3>
1743 <P> Some systems turn off packet forwarding by default, even for
1744 kernels in which it has been enabled. This is the safe default. You
1745 don't want systems forwarding packets in uncontrolled ways. </P>
1746 <P> To turn forwarding on temporarily, use the following command as
1749 echo "1" > /proc/sys/net/ipv4/ip_forward
1751 Turning it on permanently is also possible. The exact method varies
1752 from distribution to distribution:
1754 <DT>Older Readhat </DT>
1755 <DD>in the file <VAR>/etc/sysconfig/network</VAR>, set <VAR>
1756 FORWARD_IPV4=yes </VAR></DD>
1757 <DT>Redhat 6.x and 7.0 </DT>
1758 <DD>in the file <VAR>/etc/sysconfig/network</VAR>, set <VAR>
1759 net.ipv4.ip_forward=1 </VAR></DD>
1760 <DT>Debian r2.2 systems (and most likely Debian r2.2 derived systems): </DT>
1761 <DD>in the file <VAR>/etc/network/options</VAR>, set <VAR>
1762 ip_forward=yes </VAR></DD>
1764 <P> A gateway machine needs forwarding enabled or it will not route
1765 packets between the two networks it is attached to. The simplest way to
1766 ensure this is to enable forwarding using whatever method your
1767 distribution provides. See list above. </P>
1768 <P> A more conservative approach is to disable forwarding in your
1769 system configuration, then enable from your boot scripts after
1770 appropriate firewall scripts are in place. </P>
1771 <H3><A name="othersoft">Other software</A></H3>
1772 <P> Configure and test any other software you will want to use for
1773 testing once IPSEC is up. For example, you might put an HTTP daemon on
1774 Sunset and a browser on Sunrise. Make sure these work without IPSEC.</P>
1775 <P>If these tests fail, figure out why and fix it. <STRONG>Do not
1776 proceed until it works.</STRONG></P>
1777 <H2><A name="rtfm">RTFM (please Read The Fine Manuals)</A></H2>
1778 <P> As with most things on any Unix-like system, most parts of Linux
1779 FreeS/WAN are documented in online manual pages. We provide a list of <A href="manpages.html">
1780 FreeS/WAN man pages</A>, with links to HTML versions of them. </P>
1781 <P> The man pages describing configuration files are: </P>
1783 <LI><A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></LI>
1784 <LI><A href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</A></LI>
1786 <P> Man pages for commands used in this document include:</P>
1788 <LI><A href="manpage.d/ipsec.8.html">ipsec(8)</A></LI>
1789 <LI><A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A></LI>
1790 <LI><A href="manpage.d/ipsec_rsasigkey.8.html">ipsec_rsasigkey(8)</A></LI>
1791 <LI><A href="manpage.d/ipsec_auto.8.html">ipsec_auto(8)</A></LI>
1792 <LI><A href="manpage.d/ipsec_manual.8.html">ipsec_manual(8)</A></LI>
1794 <P> You can read these either in HTML using the links above or with the <VAR>
1795 man(1)</VAR> command.</P>
1797 <H2><A name="usersakey">Setting up RSA authentication keys</A></H2>
1798 <P> RSA keys come in matched pairs. Each pair includes:</P>
1800 <LI>a <STRONG>public key</STRONG> which need not be kept secure.
1801 Everyone you plan to communicate with must be able to get a copy of
1802 this. It does not matter if an enemy gets it as well.</LI>
1803 <LI>a <STRONG>private key</STRONG> which must be kept secure. No-one
1804 but you should have access to it. </LI>
1806 <P> For FreeS/WAN, both keys for your system are in the <A href="manpage.d/ipsec.secrets.5.html">
1807 ipsec.secrets(5)</A> file. <STRONG>Maintaining security of this file is
1808 essential</STRONG> since it holds your private key.</P>
1809 <P> Public keys for systems you communicate with are placed in <A href="manpage.d/ipsec.conf.5.html">
1810 ipsec.conf(5)</A>. Security here is less vital (unless you are using
1811 manual keying as well, in which case the file may have secret keys). It
1812 does not matter if an enemy knows the public keys, as long as the
1813 private keys are protected.</P>
1814 <H3><A name="genrsakey">Generating an RSA key pair</A></H3>
1815 <P> If you installed FreeS/WAN yourself, then the installation process
1816 has already generated an RSA key pair for you and placed it in the <A href="manpage.d/ipsec.secrets.5.html">
1817 ipsec.secrets(5)</A> file.</P>
1818 <P>If not, you need to:</P>
1820 <LI>Generate an RSA key pair (private and public) using <A href="manpage.d/ipsec_rsasigkey.8.html">
1821 ipsec_rsasigkey(8)</A>.</LI>
1822 <LI>Put the private key in <A href="manpage.d/ipsec.secrets.5.html">
1823 ipsec.secrets</A>, with a wrapper. The result looks like this: </LI>
1826 <stuff generated by rsasigkey>
1832 <LI>the ":" must be unindented (at the margin)</LI>
1833 <LI>the other lines, including the "}", must be indented (not at the
1835 <LI>spaces are needed to separate tokens so, for example, ":RSA{"
1839 <P> This means "always use this as my private RSA key". For other
1840 options, for example if you want to use different keys with different
1841 partners, see the man pages.</P>
1842 <P> The RSA keys we generate are suitable <STRONG>only</STRONG> for
1843 authentication, not for encryption. IPSEC uses them only for
1844 authentication. See our <A href="ipsec.html">IPSEC</A> section for
1846 <P> It is also possible to use keys in other formats, not generated by
1847 FreeS/WAN. This may be necessary for interoperation with other IPSEC
1848 implementations. See our links to <A href="web.html#patches">patches</A>
1849 which add support for keys generated by PGP or embedded in X.509
1851 <H3><A name="keyexchange">Exchanging authentication keys</A></H3>
1852 <P> The next step is to send your public key to everyone you need to
1853 set up connections with, and collect their public keys. The public key
1854 is the line in the output of rsasigkey starting "#pubkey=0x".</P>
1855 <P> Public keys need not be protected as fanatically as private keys.
1856 They are intended to be made public; the system is designed to work
1857 even if an enemy knows all the public keys used.</P>
1858 <P> Note, however, that <STRONG>authentication of public keys is
1859 critical</STRONG>. It does not matter if an enemy knows your public
1860 keys, but if you can be tricked into trusting a public key supplied by
1861 an enemy, you are in deep trouble.</P>
1862 <P> For example, consider the fellow who wants to communicate with his
1863 mistress, keeping messages secret from his wife. </P>
1865 <LI>If the wife obtains the mistress' public key, that is not a
1866 problem. As long as she does not get the private key, she can neither
1867 read things sent to the mistress nor authenticate herself as the
1869 <LI>If the mistress has any sense, she protects her private key
1870 carefully. So long as she does that, and the husband encrypts his
1871 messages correctly, there should be no (cryptographic!) problem.</LI>
1872 <LI>However, imagine that the wife is somewhat devious. She generates a
1873 public/private key pair and sends the husband that public key, forging
1874 the message to look as if it came from the mistress. Of course this
1875 fails if the husband has enough sense to check the key's validity
1876 before using it.</LI>
1877 <LI>However, if the husband blindly <EM>accepts that key without
1878 verification</EM>, it is <EM>extremely</EM> unlikely that he will be
1879 pleased with the results.</LI>
1880 <LI>If he accepts that key, the wife can read every message he sends to
1882 <LI>She can also pose as the mistress and send him whatever messages
1885 <P> You <STRONG>must authenticate any public keys received</STRONG>
1886 before using them. For remote sites, the simplest method is to
1887 exchange them using PGP-signed email (taking appropriate steps to
1888 authenticate the signing keys). For nearby machines, a floppy disk or
1889 trusted network is fine.</P>
1890 <H3><A name="useRSA">Using RSA signatures for authentication</A></H3>
1891 <P> For each system you will communicate with, you need an RSA public
1892 key and an identifier associated with it. The identifiers go in the <VAR>
1893 leftid=</VAR> and <VAR>rightid=</VAR> lines of connection descriptions
1894 in <VAR>ipsec.conf(5)</VAR>. They are the names the systems use to
1895 identify themselves during connection negotiation.</P>
1896 <P> There are four possible forms for these identifiers:</P>
1898 <LI>an IP address in dotted quad notation, four numbers separated by
1899 periods (10.1.19.32).</LI>
1900 <LI>a domain name, which will be resolved immediately
1901 (bad.example.com).</LI>
1902 <LI>a fully qualified domain name (FQDN) with a leading "@" to
1903 indicate that it should not be resolved (@good.example.com)</LI>
1904 <LI>user@FQDN (fred@example.com)</LI>
1906 <P> We recommend that only the @FQDN form be used in most applications.
1907 IP addresses make remarkably uninteresting names. Resolving a name to
1908 an IP address is not interesting in this context, and attempting to
1909 resolve it may cause problems if DNS is down or if someone subverts a
1910 DNS server which you rely on. </P>
1911 <P> If your domain is example.com, the names you use should be of three
1914 <LI>machine names such as "@firewall.example.com".</LI>
1915 <LI>names for other resources, chosen not to conflict, such as
1916 "@fireplug.example.com"</LI>
1917 <LI>identifiers for people (actually for their road warrior machines),
1918 such as "@alice.example.com" or, if she prefers,
1919 "@cleopatra.example.com".</LI>
1921 <P> In order to facilitate distributing keys through DNS, we recommend
1924 <LI>names from non-existent domains</LI>
1925 <LI>names from other people's domains</LI>
1926 <LI>names which conflict with machine names in your domain</LI>
1929 <P> For example, if you have a server alice.example.com, then you
1930 should not use "@alice.example.com" to identify Alice's laptop for
1932 <H2><A name="basic.conf">The configuration file</A></H2>
1933 <P>FreeS/WAN uses a configuration file, <A href="manpage.d/ipsec.conf.5.html">
1934 ipsec.conf(5)</A>.</P>
1935 This section describes setting up the parts of that file that apply to
1938 <DT><VAR>config setup</VAR> section</DT>
1939 <DD>describes machine configuration</DD>
1940 <DT><VAR>conn default</VAR> section</DT>
1941 <DD>default parameters which apply to all connections</DD>
1943 <P> and gives an introduction to the parts of the file that specify the
1944 actual connections. The following section covers setting up three
1945 common types of connection, all using automatic keying with RSA
1946 authentication of the gateways:</P>
1948 <DT>conventional VPN</DT>
1949 <DD>two security gateways, each with a known fixed IP address and with
1950 a network of client machines behind it</DD>
1951 <DT>Road Warrior</DT>
1952 <DD>one player has a dynamically-assigned address</DD>
1953 <DT>opportunistic encryption</DT>
1954 <DD>the two machines have no prior knowledge of each other, but are set
1955 up to secure connections whenever possible</DD>
1957 <P>Setup is quite similar for each of these, but details differ.</P>
1958 <P>Other types of connections are covered in later sections.</P>
1959 <P>The easiest way to create a connection is by editing one of our
1960 examples. Here we will use the one in the installation <A href="manpage.d/ipsec.conf.5.html">
1961 ipsec.conf</A> file. You could also start with one from our <A href="examples">
1962 doc/examples</A> file if one of those is closer to what you need to do.</P>
1963 <H3><A name="setup.conf">The setup section of ipsec.conf(5)</A></H3>
1964 <P>The first section of <A href="manpage.d/ipsec.conf.5.html">
1965 ipsec.conf(5)</A> contains overall setup parameters for IPSEC, which
1966 apply to all connections. In our example file, it is:</P>
1968 # basic configuration
1970 # THIS SETTING MUST BE CORRECT or almost nothing will work;
1971 # %defaultroute is okay for most simple cases.
1972 interfaces=%defaultroute
1973 # Debug-logging controls: "none" for (almost) none, "all" for lots.
1976 # Use auto= parameters in conn descriptions to control startup actions.
1979 # Close down old connection when new one using same ID shows up.
1982 <P>The variables set here are:</P>
1985 <DD>Tells the <A href="#KLIPS">KLIPS</A> IPSEC code in the Linux kernel
1986 which network interface to use. The interfaces specified here are the
1987 only ones this gateway machine will use to communicate with other
1988 IPSEC gateways. <STRONG>If this is not correct, nothing works.</STRONG>
1990 <P>In many cases, the appropriate interface is just your default
1991 connection to the world (the Internet, or your corporate network). In
1992 these cases, you can use the default setting:</P>
1994 <LI>interfaces=%defaultroute</LI>
1996 <P> To check what FreeS/WAN sees as the default route, you can use the
1997 command <VAR>ipsec showdefaults</VAR>. You may need to compare this
1998 with the output from <VAR>route -n</VAR> to get a more complete
2000 <P>In other cases, you can name one or more specific interfaces to be
2001 used by FreeS/WAN. For example:</P>
2003 <LI>interfaces="ipsec0=eth0"</LI>
2004 <LI>interfaces="ipsec0=eth0 ipsec1=ppp0"</LI>
2006 Both tell KLIPS to use eth0 as ipsec0. The second one also supports
2010 <LI>Multiple tunnels do not require multiple interfaces. It is
2011 possible, and even common, to have one ipsec interface carrying
2012 traffic for many tunnels.</LI>
2013 <LI>For PPP connections, you specify the virtual PPP interface (for
2014 example <VAR>ppp0</VAR>) here, <STRONG>not</STRONG> the underlying
2015 physical interface.</LI>
2017 <P>If you need to discover interface names, use the command:</P>
2018 <PRE> ifconfig</PRE>
2019 If you have PCMCIA or other interfaces that are not available at boot
2020 time, special measures are required. See our <A href="#dynamic">section</A>
2023 <DD>Debugging setting for the KLIPS kernel code</DD>
2025 <DD>Debugging setting for the Pluto key and connection negotiation
2027 <P><VAR>klipsdebug</VAR> and <VAR>plutodebug</VAR> can each be set to
2028 "none" or to "all" in most circumstances. There are other options; see
2029 the relevant man pages.</P>
2031 <DD>List of connections to be automatically loaded into memory when
2034 <DD>List of connections to be automatically negotiated when Pluto
2036 <P><VAR>plutoload</VAR> and <VAR>plutostart</VAR> can be quoted lists
2037 of connection names, but are often set to <VAR>%search</VAR> as in our
2038 example. Any connection with <VAR>auto=add</VAR> in its connection
2039 definition is then loaded, and any connection with <VAR> auto=start</VAR>
2041 <P>In most cases, you want <VAR>plutostart=%search</VAR> here and <VAR>
2042 auto=start</VAR> in your connection descriptions. That way when a
2043 connection is broken, for example if one machine crashes or is taken
2044 down for some reason, it will be reliably rebuilt. If only one end is
2045 told to start the connection, then if the other end crashes, you may
2046 lose the connection for a long time. The end that could rebuild does
2047 not know it needs to.</P>
2048 <P>The exception to the above is when you have many road warriors
2049 connecting to a single gateway. Having the gateway trying to rebuild
2050 tunnels to systems which are offline can waste considerable resources.
2051 In this case, the gateway should have <VAR>auto=add</VAR> for all
2052 connections, and let the remote systems start negotiations.</P>
2054 <DD>Controls whether two connections with the same subnet on the
2055 remote end are allowed. Normally this is set to <VAR>yes</VAR> so that
2056 when a remote system disconnects and reconnects, Pluto will
2057 automatically take the old connection down. </DD>
2059 <H3><A name="conn.default">Connection defaults</A></H3>
2060 <P> There is a special name %default that lets you define things that
2061 apply to all connections. e.g. our example file has:</P>
2063 # defaults for subsequent connection descriptions
2065 # How persistent to be in (re)keying negotiations (0 means very).
2067 # How to authenticate gateways
2070 <P>Variables set here are:</P>
2072 <DT>keyingtries</DT>
2073 <DD>How persistent to be in (re)keying negotiations (0 means very). </DD>
2074 <P>For testing, you might wish to set this to some small number,
2075 perhaps even to 1, to avoid wasting resources on incorrectly set up
2076 connections. In production, it is often set to zero (retry forever).
2077 Keeping the connection up is what machine resources are for, so if a
2078 connection is down you night as well waste resources retrying as waste
2079 them by sitting idle. Of course some caution should be exercised with
2080 this, since it can waste network resources as well.</P>
2081 <DT>authby=rsasig</DT>
2082 <DD>authenticate gateways using RSA signatures. This is the preferred
2083 method and is what we will use in this section's examples. An
2084 alternate method is to use <A href="#prodsecrets">shared secrets</A>.</DD>
2086 <P>Once you are finished testing, you can edit these defaults, adding
2087 anything that is standard for all gateways in your organisation.</P>
2088 <P> Previous versions of this document said: <BLOCKQUOTE> Note,
2089 however, that setting the <VAR>auto=</VAR> parameter in the default
2090 connection description <STRONG>does not work</STRONG>. You cannot use <VAR>
2091 auto=start</VAR> here to get all connections started automatically or <VAR>
2092 auto=add</VAR> to get them all loaded. You must set that in the
2093 individual connection descriptions. </BLOCKQUOTE> This restriction has
2094 been removed in FreeS/WAN 1.9. However, if the other end of the tunnel
2095 is an older version, the restriction will still apply there, so some
2096 caution is still required. </P>
2097 <H3><A name="edit.conn">Editing a connection description</A></H3>
2098 <P>Edit our example connection to match what you want to do. Rename it
2099 appropriately for the connection you would like to build:
2100 "fred-susan", "reno-van" or whatever. The name is the second string in
2101 the line that begins with "conn", for example in:</P>
2105 <P> The connection name is "snt" (<STRONG>s</STRONG>ub<STRONG>n</STRONG>
2106 et <STRONG>t</STRONG>unnel) and to define another connection you make a
2107 copy with a new name such as:</P>
2111 <P> A sample connection description is:</P>
2114 # The network here looks like:
2115 # leftsubnet====left----leftnexthop......rightnexthop----right====rightsubnet
2116 # If left and right are on the same Ethernet, omit leftnexthop and rightnexthop.
2118 # left security gateway (public-network address)
2120 # next hop to reach right
2121 leftnexthop=10.44.55.66
2122 # subnet behind left (omit if there is no subnet)
2123 leftsubnet=172.16.0.0/24
2124 # right s.g., subnet behind it, and next hop to reach left
2126 rightnexthop=10.88.77.66
2127 rightsubnet=192.168.0.0/24
2129 We omit here the variables we have shown as set in the default
2130 connection above. All of them could also be set here. If they are set
2131 in both places, settings here take precedence. Defaults are used only
2132 if the specific connection description has no value set.
2133 <P>The network described above looks like this:</P>
2135 subnet 172.16.0.0/24 =leftsubnet
2137 interface 172.16.0.something
2138 left gateway machine
2139 interface 10.0.0.1 =left
2141 interface 10.44.55.66 =leftnexthop
2143 interface we don't know
2147 interface we don't know
2149 interface 10.88.77.66 =rightnexthop
2151 interface 10.12.12.1 =right
2152 right gateway machine
2153 interface 192.168.0.something
2155 subnet 192.168.0.0/24 =rightsubnet</PRE>
2156 You need to edit the connection description, inserting appropriate IP
2157 addresses and subnet descriptions so that it describes your network.
2158 <P>In most cases, you should use numeric IP addresses, not names, here.
2159 The file syntax allows names to be used, but this creates an
2160 additional risk. If someone can subvert the DNS service, then they can
2161 redirect packets whose addresses are looked up via that service.</P>
2162 <P> Many of the variables in this file come in pairs such as
2163 "leftsubnet: and "rightsubnet", one for each end of the connection. The
2164 variables on the left side are:</P>
2167 <DD>The gateway's external interface, the one it uses to talk to the
2168 other gateway. This can be <VAR>left=%defaultroute</VAR>.</DD>
2169 <DT>leftnexthop</DT>
2170 <DD>Where left should send packets whose destination is right,
2171 typically the first router in the appropriate direction. </DD>
2172 <P>This need not always be set.</P>
2174 <LI>If the two gateways are directly linked (packets can go from one
2175 to the other without IP routing by any intermediate device) then you
2176 need not set either <VAR>leftnexthop</VAR> or <VAR> rightnexthop</VAR>.</LI>
2177 <LI>a connection with <VAR>left=%defaultroute</VAR> or <VAR>
2178 right=%defaultroute</VAR> must not have the corresponding <VAR> nexthop</VAR>
2181 However, <EM>in all other cases</EM>, you <EM>must</EM> provide
2182 nexthop information. KLIPS (Kernel IP Security) bypasses the normal
2183 routing machinery, so you must give KLIPS the information even though
2184 routing already knows it.
2185 <P>(Yes, we know that design is not ideal, and we plan to change it.
2186 See extensive discussions on the <A href="mail.html">mailing list</A>,
2187 mostly with "routing" or "KLIPS 2" in the subject lines.)</P>
2189 <DD>Addresses for the machines which left is protecting.
2191 <LI>Often something like 101.202.203.0/24 to indicate that a subnet
2192 resides behind left. Often this subnet will be directly connected to
2193 left, but this not necessary. The only requirement is that left must
2194 be able to route to it.</LI>
2195 <LI>If you omit the leftsubnet line, then left is both the security
2196 gateway and the only client on that end.</LI>
2198 For some applications, you may want to create two connections, one to
2199 protect traffic from the subnet behind left and another to protect
2200 traffic from the left gateway itself. This takes two connection
2201 descriptions. See <A href="#multitunnel">below</A>.</DD>
2202 <DT>leftfirewall</DT>
2203 <DD>Set to "yes" if there is a firewall in play that suppresses
2204 forwarding, for example if a subnet behind left uses non-routable
2205 addresses and left does <A href="#masq">IP masquerade</A> for them.
2206 This will cause <A href="manpage.d/ipsec_pluto.8.html">Pluto</A> to
2207 invoke our default script to adjust the firewall as required. </DD>
2208 <P> For more detail, including ways to invoke your own customised
2209 script instead, see our <A href="firewall.html">FreeS/WAN and firewalls</A>
2212 <DD>If the <VAR>conn setup</VAR> section has <VAR> plutoload=%search</VAR>
2213 , then all connections marked <VAR> auto=add</VAR> are loaded when
2215 <P> If the <VAR>conn setup</VAR> section has <VAR> plutostart=%search</VAR>
2216 , then all connections marked <VAR> auto=start</VAR> are started when
2218 <P> Initially, we suggest using <VAR>auto=add</VAR> on all
2219 connections. This lets you start them manually during testing. Once
2220 they are tested, you can change many of them to <VAR>auto=start</VAR>. </P>
2222 <P>For each left* parameter, there is a corresponding right* parameter.</P>
2223 <P>Note that <EM>a connection to a subnet behind left does not include
2224 left itself</EM>. The tunnel described above protects packets going <EM>
2225 from one subnet to the other</EM>. It does not apply to packets which
2226 either begin or end their journey on one of the gateways. If you need
2227 to protect those packets, you must build separate tunnel descriptions
2229 <P>It is a common error to attempt testing a subnet-to-subnet
2230 connection by pinging from one of the gateways to the far end or vice
2231 versa. <STRONG>This does not work</STRONG>, even if the connection is
2232 functioning perfectly, because <EM>traffic to or from the gateway
2233 itself is not sent on that connection</EM>. If you want to protect
2234 traffic originating or terminating on the gateway, then you need a
2235 separate tunnel for that in addition to the subnet's tunnel. See the
2236 section on <A href="#multitunnel">multiple tunnels</A> below.</P>
2237 <H3><A name="which">Which is which?</A></H3>
2238 <P>Which security gateway is "left" and which is "right" is arbitrary.</P>
2239 <P>We suggest that you name connections by their ends. For example,
2240 name the link between Fred and Susan's machines "fred-susan" or the
2241 link between your Reno and Vancouver offices "reno-van". You can then
2242 let "left" refer to the left half of the name, "fred" or "reno" in our
2243 examples, and "right" to the other half.</P>
2244 <P>To simplify administration, we recommend that you <STRONG>use the
2245 same names</STRONG> in the <VAR>ipsec.conf</VAR> files <STRONG>on both
2246 ends</STRONG>. The name "reno", for example, should refer to the
2247 machine in Reno, no matter which city the file is in, and if "reno" is
2248 "left" in the reno-van description in Reno, then "reno" should be
2249 "left" in that description on the Vancouver machine as well. </P>
2250 <P> Then when you copy the file from one machine to the other, the <EM>
2251 only</EM> change you should make on the second machine is changing the <VAR>
2252 interfaces=</VAR> line to match the interface that machine uses for
2254 <P> Of course the software does not actually require this. The names
2255 are just arbitrary strings to it. If your administrator in Reno wants
2256 to refer to the machines as "Phobos" and "Demios" while the Vancouver
2257 admin calls them "George" and "Gracie", things should still work.</P>
2258 <H2><A name="examples">Example setups</A></H2>
2259 <P> In this section we show examples of three common setups: </P>
2261 <LI>a VPN connection </LI>
2262 <LI>road warrior support </LI>
2263 <LI>opportunistic encryption </LI>
2265 <P> We use a, b, c ... to indicate components of IP addresses. Each
2266 letter is some number in the range 0 to 255, inclusive.</P>
2267 <P> For additional examples, see our <A href="examples">examples</A>
2269 <H3><A name="VPNex">VPN</A></H3>
2270 <P> In this example, the network looks like this:</P>
2272 subnet a.b.c.0/24 =leftsubnet
2273 | (head office has routable IP addresses)
2275 left gateway machine
2276 interface e.f.g.h =left
2277 | (external address outside a.b.c.0 subnet)
2278 interface e.f.g.i =leftnexthop
2280 interface we don't know
2284 interface we don't know
2286 interface j.k.l.m =rightnexthop
2288 interface j.k.l.n =right
2289 right gateway machine
2290 interface 192.168.0.something
2291 | (branch office uses private IP addresses)
2292 subnet 192.168.0.0/24 =rightsubnet
2294 <P> The ipsec.conf(5) file might look like this (with RSA keys
2295 shortened for easy display):</P>
2297 # basic configuration
2305 # defaults that apply to all connection descriptions
2307 # How persistent to be in (re)keying negotiations (0 means very).
2309 # How to authenticate gatways
2312 # VPN connection for head office and branch office
2314 # identity we use in authentication exchanges
2315 leftid=@head.example.com
2316 leftrsasigkey=0x175cffc641f...
2317 # left security gateway (public-network address)
2319 # next hop to reach right
2321 # subnet behind left (omit if there is no subnet)
2322 leftsubnet=a.b.c.0/24
2323 # right s.g., subnet behind it, and next hop to reach left
2324 rightid=@branch.example.com
2325 rightrsasigkey=0xfc641fd6d9a24...
2327 rightnexthop=j.k.l.m
2328 rightsubnet=192.168.0.0/24
2329 # right is masquerading
2333 <P> The versions of this file at the two ends should be identical,
2334 except that each must have an <VAR>interfaces=</VAR> line appropriate
2335 for the local machine.</P>
2336 <H4><A name="route_or_not">Routable and non-routable addresses</A></H4>
2337 <P> RFC 1918 reserves three groups of addresses for use on private
2340 <LI>10.0.0.0/8 </LI>
2341 <LI>172.16.0.0/12 </LI>
2342 <LI>192.168.0.0/16 </LI>
2344 <P> Addresses in these ranges will never be assigned to anything on the
2345 Internet. Many routers automatically drop any packet with one of these
2346 addresses as either source or destination. </P>
2347 <P> You can use FreeS/WAN to route between two such networks, using for
2348 example <VAR>leftsubnet=192.168.47.0/24</VAR> and <VAR>
2349 rightsubnet=192.168.48.0/24</VAR>. These addresses still do not appear
2350 on the Internet; they are encapsulated inside IPSEC packets which have
2351 the gateways' external addresses (from the <VAR>left</VAR> and <VAR>
2352 right</VAR> parameters of the connection description) in their headers. </P>
2353 <H3><A name="roadex">Road Warrior</A></H3>
2354 <P> For our purposes, a "road warrior" is any machine that does not
2355 have a fixed IP address where it can normally be expected to be on
2356 line. This includes:</P>
2358 <LI>a traveller who might connect from anywhere</LI>
2359 <LI>any machine that has a dynamic IP address -- nearly all dialup
2360 connections and most DSL or cable modem connections, at least in North
2362 <LI>most home machines connecting to the office. If you have a home
2363 firewall that is always left on and has a static IP address, then you
2364 can use the <A href="#VPNex">VPN</A> configuration described above.
2365 Otherwise, consider yourself a road warrior.</LI>
2367 <P> The configuration for road warrior support looks slightly different
2368 from a VPN configuration. We cannot use the road warrior's IP address
2369 in the configuration file since we don't know it, and we don't want to
2370 have our server retrying connections to road warriors that are no
2372 <P> In this example, the network looks like this:</P>
2374 subnet a.b.c.0/24 =leftsubnet
2375 | (head office has routable IP addresses)
2377 left gateway machine
2378 interface e.f.g.h =left
2379 | (external address outside a.b.c.0 subnet)
2380 interface e.f.g.i =leftnexthop
2385 interface with dynamic IP address
2386 road warrior machine
2388 <P> Here the ipsec.conf(5) files on the two ends are slightly
2389 different. The one at the office might have exactly the same <VAR>
2390 config setuo</VAR> and <VAR>conn %default</VAR> sections as in the VPN
2393 # basic configuration
2401 # defaults that apply to all connection descriptions
2403 # How persistent to be in (re)keying negotiations (0 means very).
2405 # How to authenticate gatways
2408 <P> Then add a description for the road warrior connection:</P>
2410 # Connection for road warrior Fred
2412 # identity we use in authentication exchanges
2413 leftid=@head.example.com
2414 leftrsasigkey=0x175cffc641f...
2415 # left security gateway (public-network address)
2417 # next hop to reach right
2419 # subnet behind left (omit if there is no subnet)
2420 leftsubnet=a.b.c.0/24
2421 # accept any address for right
2423 # any address, provided authentication works
2424 rightid=@fred.example.com
2425 rightrsasigkey=0xd9a24765fe...
2426 # no subnet for a typical road warrior
2427 # it is possible, but usually not needed
2428 # let the road warrior start the connection
2430 # override the default retry for road warriors
2431 # we don't want to retry if IP connectivity is gone
2434 <P> On the gateway end we use</P>
2436 <LI><VAR>right=%any</VAR> so we have no preset idea of right's IP
2437 address and will accept whatever arrives on the packets</LI>
2438 <LI><VAR>auto=add</VAR> so we accept connections but don't initiate</LI>
2439 <LI><VAR>keyingtries=1</VAR> so we do not retry to excess when the
2440 partner disconnects or changes IP address</LI>
2442 <P> The file on the road warrior end is nearly identical, except that
2445 <LI><VAR>interfaces=%defaultroute</VAR> to handle the dynamic IP
2447 <LI><VAR>right=%defaultroute</VAR></LI>
2448 <LI><VAR>auto=start</VAR> to start the connection</LI>
2449 <LI><VAR>keyingtries=0</VAR> to try to maintain the connection</LI>
2451 <P> Additional road warriors can be added as required. Each should have
2452 his or her own connection description with unique settings for <VAR>
2453 rightid</VAR> and <VAR>rightrsasigkey</VAR>.</P>
2454 <P> Jean-Francois Nadeau's <A href="http://jixen.tripod.com/#Rw-Fwan-to-Fwan">
2455 Practical Configurations</A> document also has an example of using RSA
2456 authentication for road warriors.</P>
2457 <H3><A name="oppex">Opportunistic encryption</A></H3>
2458 We use the term <A href="glossary.html">opportunistic encryption</A>
2459 for encryption which does not rely on any pre-arranged connection,
2460 hence does not require that the administrators of the two gateways
2461 involved communicate with each other (for example, to exchange keys)
2462 before their systems can create a secure connection.
2463 <P> The idea is that each gateway check the destinations of outgoing
2464 packets, see if an encrypted connection is possible and, if so, take
2465 the opportuntity to encrypt. The opportunity will exist whenever the
2466 admins on both ends have set their systems up for opportunistic
2468 <P> This makes encryption the default behaviour, and could greatly
2469 increase the overall security of the Internet if it were widely enough
2470 adopted. See our documents: </P>
2472 <DT><A href="politics.html">history and politics</A></DT>
2473 <DD>for the reasons we want to do this </DD>
2474 <DT><A href="#traffic.resist">IPSEC protocols</A></DT>
2475 <DD>for discussion of the general principle of encrypting as much as
2478 <P> The gateways must be able to authenticate each other for IPSEC to
2479 be secure. For opportunistic encryption, we rely on the domain name
2480 system, <A href="glossary.html">DNS</A>, to provide the RSA keys needed
2481 for this authentication. Note, that currently this is not entirely
2482 secure because <STRONG>the DNS mechanism it relies on is not fully
2483 secure</STRONG>. Eventually, as <A href="#SDNS">secure DNS</A> becomes
2484 widely deployed, this will change. </P>
2485 <H4><A name="opp.status">Status</A></H4>
2486 The team have been working on this for some time, and testing
2487 internally. As of late May, 2001 this code is ready for wider testing. <STRONG>
2488 We encourage everyone to try it.</STRONG>
2489 <P> The main documentation items so far are: </P>
2491 <LI>an <A href="opportunism.howto">Opportunism HowTo</A> by Pluto
2492 programmer Hugh Redelmeier </LI>
2493 <LI>a <A href="opportunism.spec">design document</A> by Hugh and
2494 technical lead Henry Spencer. </LI>
2496 I am playing catch up. HTML documentation so far is neither complete
2497 nor particularly clear, and not all of it has had technical review by
2498 the developers, so it may have errors. What I have so far is below.
2499 <P> Note that both software and documentation for this are changing
2500 quickly. You may want the latest snapshot for opportunism experiments. </P>
2501 <P><STRONG> We do not yet recommend this code for production use</STRONG>
2502 . You should still protect your critical data with explicitly
2503 configured IPSEC tunnels, rather than relying on opportunistic for
2504 everything at this stage. </P>
2505 <H4><A name="opp.config">ipsec.conf entries for opportunism</A></H4>
2506 The relevant lines in the config file might look like this:
2508 conn subnet-to-anyone # for our client subnet
2509 leftsubnet=10.42.42.0/24 # any single client in our subnet
2510 left=%defaultroute # our SG (defaults leftnexthop too)
2511 right=%opportunistic
2513 <P> The public key, in our format, must be in a KEY record of the
2514 appropriate DNS entry for this to work.</P>
2515 <P> Each opportunistic connection supports a single source/destination
2516 pair of IP addresses. There is no way to build an opportunistic
2517 connection for a larger subnet. Specifying a subnet in the connection
2518 description, as in the example above, just means that any host in that
2519 subnet may have opportunistic connections.</P>
2520 <H4><A name="dns.background">Some DNS background</A></H4>
2521 <P> Opportunism requires that the gateway systems be able to fetch
2522 public keys, and other IPSEC-related information, from each other's DNS
2523 (domain name service) records. </P>
2524 <P> DNS is a distributed database that maps names to IP addresses and
2525 vice versa. A system named gateway.example.com with IP address
2526 10.20.30.40 should have at least two DNS records: </P>
2528 <DT>gateway.example.com. IN A 10.20.30.40 </DT>
2529 <DD>used to look up the name and get an IP address </DD>
2530 <DT>40.30.20.10.in-addr.arpa. IN PTR gateway.example.com. </DT>
2531 <DD>used for reverse lookups, looking up an address to get the
2532 associated name. Notice that the digits here are in reverse order; the
2533 actual address is 10.20.30.40 but we use 40.30.20.10 here. </DD>
2535 Some syntactic details are:
2537 <LI>the IN indicates that these records are for <STRONG>In</STRONG>
2538 ternet addresses </LI>
2539 <LI>The final periods in '.com.' and '.arpa.' are required. They
2540 indicate the root of the domain name system. </LI>
2542 For much more detail, see:
2544 <LI><A href="http://www.linuxdoc.org/LDP/nag2/index.html">Linux Network
2545 Administrator's Guide</A></LI>
2546 <LI>the standard <A href="#DNS.book">DNS reference</A> book </LI>
2547 <LI><A href="http://www.nominum.com/resources/whitepapers/bind-white-paper.html">
2548 BIND overview</A></LI>
2549 <LI><A href="http://www.nominum.com/resources/documentation/Bv9ARM.pdf">
2550 BIND 9 Administrator's Reference</A></LI>
2552 The capitalised strings after IN indicate the type of record. Possible
2555 <LI><STRONG>A</STRONG>ddress </LI>
2556 <LI><STRONG>P</STRONG>oin<STRONG>T</STRONG>e<STRONG>R</STRONG></LI>
2557 <LI><STRONG>C</STRONG>anonical <STRONG>NAME</STRONG>, records to
2558 support aliasing, multiple names for one address </LI>
2559 <LI><STRONG>MX</STRONG>, used in mail handling </LI>
2560 <LI><STRONG>SIG</STRONG>nature, used in <A href="#SDNS">secure DNS</A></LI>
2561 <LI><STRONG>KEY</STRONG>, used in <A href="#SDNS">secure DNS</A></LI>
2562 <LI><STRONG>T</STRONG>e<STRONG>XT</STRONG>, a multi-purpose record type </LI>
2564 To set up for opportunistic encryption, you add some KEY and TXT
2565 records to your DNS data.
2566 <H4><A name="dnskey">Putting IPSEC information in DNS</A></H4>
2567 There are two types of DNS record to be added:
2569 <LI>each gateway must have a KEY record which other gateways can query
2570 to fetch its RSA authentication key </LI>
2571 <LI>any client whose communications are to be protected by a gateway
2572 must have a TXT record pointing to that machine as an authorised IPSEC
2575 <A href="manpage.d/ipsec_showhostkey.8.html"> ipsec_showhostkey(8)</A>
2576 provides the key in DNS record format. You will need to put it in the
2577 appropriate place in the DNS records.
2578 <P> To be more precise, quoting the Opportunism Design document: </P>
2580 For reference, the minimum set of DNS records needed to make
2581 this all work is either:
2583 1. TXT in Destination reverse map, identifying Responder
2584 and providing public key.
2585 2. KEY in Initiator reverse map, providing public key.
2586 3. TXT in Source reverse map, verifying relationship to
2591 1. TXT in Destination reverse map, identifying Responder.
2592 2. KEY in Responder reverse map, providing public key.
2593 3. KEY in Initiator reverse map, providing public key.
2594 4. TXT in Source reverse map, verifying relationship to
2597 Slight complications ensue for dynamic addresses, lack of
2598 control over reverse maps, etc.
2600 <H5><A name="dns.client">DNS records for client systems</A></H5>
2601 You must have control of the reverse maps for your client systems, or
2602 opportunistic IPSEC cannot be made to work.
2603 <P> The client systems will be either Source or Destination, so they
2606 1. TXT in Destination reverse map, identifying Responder
2607 and providing public key.
2609 3. TXT in Source reverse map, verifying relationship to
2614 1. TXT in Destination reverse map, identifying Responder.
2617 4. TXT in Source reverse map, verifying relationship to
2620 If you control the gateway's reverse map, example client records would
2623 42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
2624 42.42.42.10.in-addr.arpa. IN TXT "X-IPsec-Server(10)=10.20.30.40 AQNJjkKlIk9...nYyUkKK8"
2626 which can also be written as just:
2628 42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
2629 IN TXT "X-IPsec-Server(10)=10.20.30.40 AQNJjkKlIk9...nYyUkKK8"
2631 This provides the IP address of the security gateway and the public
2632 key which the gateway will use to authenticate itself. This is the
2634 <H5><A name="dns.gateway">DNS records for gateway systems</A></H5>
2635 The gateways will be either Initiator or Responder so they need:
2638 2. KEY in Initiator reverse map, providing public key.
2644 2. KEY in Responder reverse map, providing public key.
2645 3. KEY in Initiator reverse map, providing public key.
2648 <P> If you control the gateway's reverse map, you just add a KEY record
2649 there. That is all the gateway reverse map needs, whether it is working
2650 as Initiator or Responder. </P>
2651 <P> Here is an example, with many characters of the key itself left
2654 40.30.20.10.in-addr.arpa. IN KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
2656 This allows lookups on the IP address of the gateway to retrieve the
2658 <H6>If you <EM>don't</EM> control the gateway's reverse map</H6>
2659 The approach must be different if you do not have control over the
2660 reverse map for your gateway. Perhaps your ISP controls that, and
2661 provides no way for you to put data into their maps. Without that, you
2662 cannot set your gateway up to respond to incoming opportunistic
2663 requests (short of changing ISPs, which you might consider).
2664 <P> However, suppose a friend over at example.org will let you put
2665 things in their maps. That will allow you to set your gateway up to
2666 handle opportunistic connections for which it is the initiator. </P>
2667 <P> You still need to be able to put data in the reverse map for your
2668 clients. However, that data is slightly different: </P>
2670 42.42.42.10.in-addr.arpa. IN PTR deepthought.example.com.
2671 IN TXT "X-IPsec-Server(10)=something.example.org"
2673 Over at example.org, your friend puts these lines in the DNS data
2676 something.example.org. IN A 10.20.30.40
2677 something.example.org. IN KEY 0x4200 4 1 AQNJjkKlIk9...nYyUkKK8
2679 Your gateway must identify itself in IKE as something.example.org, not
2680 as gateway.example.com. You set that up via <VAR>leftid=</VAR> or <VAR>
2681 rightid=</VAR> entries in <A href="manpage.d/ipsec.conf.5.html">
2683 <P> With this arrangement, the remote gateway receives an ID payload
2684 early in IKE with your (bogus) gateway name "something.example.org".
2685 Then it looks up that name to get the IP address and key for the
2687 <H2><A name="handy">Simplifying ipsec.conf files</A></H2>
2688 <P> We provide several features in the syntax of the <A href="manpage.d/ipsec.conf.5.html">
2689 ipsec.conf(5)</A> file that are intended to simplify the work of
2690 managing complex multi-connection setups:</P>
2692 <LI>a <VAR>conn %default</VAR> connection description for information
2693 common to all connections</LI>
2694 <LI><VAR>also=</VAR> lines allow a piece of a description to be defined
2695 in one place and used in several (the definition must be after all
2697 <LI><VAR>include</VAR> directives allow information to be stored in
2698 separate files but used as part of the configuration</LI>
2700 <P> These can be combined in whatever way suits your application. One
2701 example is this ipsec.conf file for a gateway supporting multiple road
2702 warriors, all using RSA authentication:</P>
2708 authby=rsasig # all connections use RSA authentication
2709 keyingtries=1 # road warrior can retry, we shouldn't
2710 # some parameters are common to all remote systems
2711 right=%any # accept from any address
2713 # pick up all remote system descriptions
2714 # uses shell wildcards
2715 include /etc/ipsec/remote.*.conn
2717 # left side of all connections is the same
2718 # define it after the descriptions which use it
2720 left=101.101.101.101
2721 leftnexthop=101.101.101.1
2722 leftsubnet=202.202.202.0/24
2723 leftid=@gateway.example.org
2725 <P> On the left gateway, we can omit <VAR>leftrsasig</VAR>. That
2726 gateway uses the private key stored in ipsec.secrets(5) and has no need
2727 for its own public key. Similarly, the road warriors need not have
2728 their own public keys in ipsec.conf(5), only the gateway's public key. </P>
2729 <P> The remote connection descriptions in <VAR>/etc/ipsec/remote.*.conn</VAR>
2730 need then have only a few lines each: </P>
2733 # pick up common info for all connections
2735 # identify the remote machine
2736 rightid=@myname.example.org
2737 rightrsasigkey=0xfc641fd6d9a24...
2738 # we cannot use auto= in default or an also= section
2740 auto=add # load, but don't start
2742 <P> Note that if <VAR>auto=add</VAR> or <VAR>auto=start</VAR>
2743 parameters are used, they <STRONG>must be in the actual connection
2744 descriptions</STRONG>. Neither putting them in the <VAR>conn default</VAR>
2745 section nor including them via an <VAR>also=</VAR> line will work.</P>
2746 <P> Also, be careful with the order of sections in this file. The
2747 parser used requires that a definition comes after the <VAR>also=</VAR>
2748 line which uses it. In our example, the <VAR>include</VAR> inserts the
2749 files with the <VAR>also=leftstuff</VAR> lines before the definition of <VAR>
2750 conn leftstuff</VAR> so things are parsed in the correct order.</P>
2751 <H2><A name="fw.basic">Is there a firewall in play?</A></H2>
2752 <P> If firewall packet filtering is being done on either of the
2753 FreeS/WAN gateway machines, or on any machine on the path between them,
2754 then you will probably need to adjust the filters before FreeS/WAN can
2755 work. The filters must allow:</P>
2757 <LI>UDP packets between port 500 on one gate and port 500 on the other,
2758 used by the automatic keying daemon Pluto.</LI>
2759 <LI>at least one of protocol 50 (ESP) and 51 (AH). Most applications
2760 want ESP since AH does only authentication, not encryption.</LI>
2762 <P> For more detail, see our <A href="firewall.html">IPSEC and firewalls</A>
2764 <H2><A name="testing">Testing the installation</A></H2>
2765 <P> This section covers testing connections once you have FreeS/WAN
2766 installed and your <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>
2768 <P> We assume all your connection descriptions use <VAR>auto=add</VAR>
2769 so that <A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A>
2770 loads the descriptions into its internal database at startup but does
2771 not attempt to start the connections until you tell it to.</P>
2772 <H3><A name="matching">Matching numbers</A></H3>
2773 <P> It is important that the numbers in your connection descriptions
2774 match the network configuration. FreeS/WAN is almost certain to fail if
2776 <P> Suppose you are at the Reno office and your ipsec.conf file now
2777 has, among others, these lines:</P>
2780 interfaces="ipsec0=eth0"
2783 left=101.101.101.101
2784 right=202.202.202.202
2786 <P> When you tell FreeS/WAN to start the reno-van connection, it
2787 doesn't automagically know that it is in Reno, or that it is <VAR>left</VAR>
2788 in the configuration. It discovers that by comparing the IP address
2789 for ipsec0 (and, if it is set, for ipsec1) to the addresses for left
2790 and right. ipsec0 inherits its address from the underlying device, eth0
2792 <P> So in our example, if eth0 has IP address 101.101.101.101 then
2793 ipsec0 inherits that address, the correct match is found, and this
2794 FreeS/WAN discovers that it is <VAR>left</VAR>. (If no match is found, <A
2795 href="manpage.d/ipsec_pluto.8.html">Pluto</A> reports "unable to orient
2796 connection".) It then sets itself up with any other left* parameters
2797 in use -- some of <VAR>leftnexthop</VAR>, <VAR>leftsubnet</VAR>, <VAR>
2798 leftfirewall</VAR> and <VAR>leftid</VAR>. </P>
2799 <P> Once it has these parameters, FreeS/WAN sets things so that </P>
2801 <LI>packets from leftsubnet addressed to rightsubnet are routed through
2802 a tunnel to right.</LI>
2803 <LI>Packets for leftsubnet can be received on the tunnel and delivered.</LI>
2805 <P> All should be well.</P>
2806 <P> Of course, there must also be interfaces and routes set up so that
2807 this machine can exchange IP packets both with the right gateway and
2808 with clients on leftsubnet. This is done with standard Linux utilities
2809 such as ifconfig(8) and route(8). Also, things must be correct on right
2810 in Vancouver. It takes two to tunnel.</P>
2811 <P> A data mismatch anywhere in this configuration will cause FreeS/WAN
2812 to fail and to log various error messages. Depending on just how
2813 confused FreeS/WAN is and about what, the error messages may be
2814 somewhat confusing. See our <A href="trouble.html">troubleshooting</A>
2815 section to get help interpreting them if required.</P>
2816 <P><EM> We recommend double-checking for consistency here before
2817 starting actual tests.</EM>.</P>
2818 <H3><A name="testsetup">Sanity checking</A></H3>
2819 <P> Reboot both gateways to get FreeS/WAN started. No connections are
2820 actually made yet, but the stage is set.</P>
2821 <P> Examine /var/log/messages for any signs of trouble.</P>
2822 <P> On both gateways, the following entries should now exist in the
2823 /proc/net/ directory:</P>
2825 <LI>ipsec_eroute</LI>
2827 <LI>ipsec_spigrp</LI>
2828 <LI>ipsec_spinew</LI>
2829 <LI>ipsec_tncfg</LI>
2830 <LI>ipsec_version</LI>
2832 <P> and the IPSEC interfaces should be attached on top of the specified
2833 physical interfaces. Confirm that with:</P>
2835 cat /proc/net/ipsec_tncfg
2837 <P> You should see at least device ipsec0, and each ipsec device should
2838 point to a physical device, eg. 'ipsec0 -> eth0 mtu=16260 -> 1500'.
2839 Routing connections through this pseudo-device with our eroute(8)
2840 utility causes the data to be encrypted before being delivered to the
2841 underlying network interface.</P>
2842 <P> Don't be surprised when you cannot find that /dev/ipsec0 or
2843 /dev/ipsec1. They do not exist. Other network pseudo-devices such as
2844 eth0 and eth1 do not have entries in /dev either. In general, network
2845 devices do not need such entries.</P>
2846 <H3><A name="test">Starting a connection</A></H3>
2847 <P> On one gateway, start IPSEC with:</P>
2849 ipsec auto --up <VAR>name</VAR>
2851 <P> replacing <VAR>name</VAR> with the connection name you used in
2853 <P> Note that to shut down a connection, you must do:</P>
2855 ipsec auto --down <VAR>name</VAR>
2857 <P> on <EM>both</EM> gateway machines, even though you only start it
2859 <P> If the <VAR>ipsec auto --up</VAR> command doesn't generate any
2864 <P> and see if the output looks something like this:</P>
2866 foo.spsystems.net Wed Nov 25 22:51:45 EST 1998
2867 -------------------------
2868 10.0.1.0/24 -> 11.0.1.0/24 => tun0x200@11.0.0.1 esp0x202@11.0.0.1
2869 -------------------------
2870 tun0x200@11.0.0.1 IPv4_Encapsulation: dir=out 10.0.0.1 -> 11.0.0.1
2871 esp0x203@10.0.0.1 3DES-MD5-96_Encryption: dir=in iv=0xc2cbca5ba42ffbb6 seq=0 bit=0x00000000 win=0 flags=0x0<>
2872 esp0x202@11.0.0.1 3DES-MD5-96_Encryption: dir=out iv=0xc2cbca5ba42ffbb6 seq=0 bit=0x00000000 win=0 flags=0x0<>
2873 Destination Gateway Genmask Flags MSS Window irtt Iface
2874 11.0.0.0 0.0.0.0 255.255.255.0 U 1500 0 0 eth1
2875 11.0.1.0 11.0.0.1 255.255.255.0 UG 1404 0 0 ipsec0</PRE>
2876 <P> If it does, you're probably in business.</P>
2877 <P> This example shows:</P>
2879 a tunnel tun0x200 going to 11.0.0.1
2880 outgoing connection esp0x202
2881 incoming connection esp0x203
2883 <P> Both connections use <A href="#ESP">ESP</A> with <A href="#3DES">
2884 3DES</A> encryption and <A href="#MD5">MD5</A> authentication.</P>
2885 <P> The routing is:</P>
2887 11.0.0.0 via eth1 and the Internet
2888 11.0.1.0 via ipsec0 which encrypts and then sends to 11.0.0.1
2890 <P> This routes all traffic to the protected network 11.0.1.0/24
2891 through an IPSEC tunnel to the gateway 11.0.0.1.</P>
2892 <H3><A name="pingtest">Ping tests</A></H3>
2893 <P> If that works, test whether Sunrise can ping Sunset and vice versa.
2894 Our example setup again is:</P>
2896 Sunset==========West------------------East=========Sunrise
2897 local net untrusted net local net
2899 <P> There is no point in testing to or from the gateways themselves;
2900 the goal is to secure traffic between the subnets, not between the
2901 security gateways themselves.</P>
2902 <P> In general, pings or other <STRONG>tests using the public
2903 interfaces of East and/or West are entirely useless</STRONG>. The IPSEC
2904 tunnel is for packets between the two protected subnets and the outside
2905 interfaces are not on those subnets. Depending on your routing
2906 configuration, test packets sent via those interfaces will be:</P>
2908 <LI>either transmitted in the clear, bypassing the tunnel,</LI>
2909 <LI>or discarded because there is no tunnel in place to handle them</LI>
2911 <P> In either case, <STRONG>they tell you nothing about the tunnel</STRONG>
2913 <P> Sometimes it will be inconvenient to use the client machines
2914 (Sunrise and Sunset in our example) for testing. In these cases, use a
2915 command such as:</P>
2917 traceroute -i eth0 -f 20 192.168.7.1
2919 <P> where each of the interfaces specified (eth0 and 192.168.7.1 in the
2920 example) are <STRONG>on one of the protected subnets</STRONG>, eth0
2921 being the local gateway's interface on that side and 192.168.7.1 the
2922 remote gateway's subnet interface. This forces the packets through the
2923 IPSEC tunnel you want to test.</P>
2924 <P> For information on setting things up so that gateways can do IPSEC
2925 to each other or to remote subnets, see <A href="#multitunnel">below</A>
2927 <P>If you have other software set up, test with it as well. Telnet from
2928 Sunrise to Sunset, browse a web server on the remote net and so on.</P>
2929 <H3><A name="tcpdump">Testing with tcpdump</A></H3>
2930 <P> To verify that all is working, run tcpdump(8) on a machine which
2931 can listen to the traffic between the gateways.</P>
2932 <P> This is most easily done from a third machine, rather than from one
2933 of the gateways. On the gateways you may see packets at intermediate
2934 stages of processing and the result may be confusing. </P>
2935 <P> If the results make no sense at all, or you see "bad physical
2936 medium" error messages, you probably have an outdated version of
2937 tcpdump(8) that does not handle IPSEC at all. See our <A href="#tcpdump">
2939 <P> The packets should, except for some of the header information, be
2940 utterly unintelligible. The output of good encryption looks exactly
2941 like random noise.</P>
2942 <P>You can put recognizable data in the ping packets with something
2944 <PRE> ping -p feedfacedeadbeef 11.0.1.1</PRE>
2945 <P> "feedfacedeadbeef" is a legal hexadecimal pattern that is easy to
2946 pick out of hex dumps.</P>
2947 <P> For many other protocols, you need to check if you have encrypted
2948 data or ASCII text. Encrypted data has approximately equal frequencies
2949 for all 256 possible characters. ASCII text has most characters in the
2950 printable range 0x20-0x7f, a few control characters less than 0x20, and
2951 none at all in the range 0x80-0xff.</P>
2952 <P> 0x20, space, is a good character to look for. In normal English
2953 text space occurs about once in seven characters, versus about once in
2954 256 for random or encrypted data. You can put long sequences of spaces
2955 in your data and look for 0x20202020 in output, but this is not usually
2957 <P> If packets look like total garbage, nothing recognizable, all is
2959 <P>Note that to shut down a connection, you must do:</P>
2960 <PRE> ipsec auto --down <VAR>name</VAR></PRE>
2961 <P>on <EM>both</EM> gateway machines, even though you only start it
2963 <P>Again, you can verify with the same commands.</P>
2964 <P>Repeat the ping test. Repeat the tcpdump test.</P>
2965 <P>If everything succeeds, congratulations.</P>
2966 <P><STRONG>You now have a working Linux FreeS/WAN installation.</STRONG></P>
2967 <H2><A name="links.conf">What next?</A></H2>
2968 <P> At this point you should have a working FreeS/WAN setup. If not,
2969 you could go back and doublecheck various things above or try:</P>
2972 <LI>our <A href="faq.html">FAQ</A></LI>
2973 <LI>our <A href="trouble.html">troubleshooting</A> section</LI>
2975 <P> If all is well so far, you could continue with this section to
2976 explore other ways to configure FreeS/WAN connections or branch out to:</P>
2978 <LI>more detail on the <A href="ipsec.html">IPSEC protocols</A></LI>
2979 <LI><A href="interop.html">interoperating</A> with other IPSEC
2980 implementations</LI>
2981 <LI><A href="politics.html">history and politics of cryptography</A></LI>
2982 <LI>additional <A href="examples">configuration examples</A></LI>
2984 <P> Of course you might just go off for a beverage or meal at this
2986 <H2><A name="otherconf">Other configuration possibilities</A></H2>
2987 <P> The rest of this section describes various less-used options for
2989 <H3><A name="choose">Choosing connection types</A></H3>
2990 <P> The first major decision you need to make before configuring
2991 additional connections is what type or types of connections you will
2992 use. There are several options, and you can use more than one
2994 <H4><A name="man-auto">Manual vs. automatic keying</A></H4>
2995 <P> IPSEC allows two types of connections, with manual or automatic
2996 keying. FreeS/WAN starts them with commands such as:</P>
2998 ipsec manual --start <VAR>name</VAR>
2999 ipsec auto --up <VAR>name</VAR>
3001 <P>The difference is in how they are keyed.</P>
3003 <DT><A href="#manual">Manually keyed</A> connections</DT>
3004 <DD>use keys stored in <A href="manpage.d/ipsec.conf.5.html">ipsec.conf</A>
3006 <DT><A href="#auto">Automatically keyed</A> connections</DT>
3007 <DD>use keys automatically generated by the Pluto key negotiation
3008 daemon. The key negotiation protocol, <A href="#IKE">IKE</A>, must
3009 authenticate the other system. (It is vulnerable to a <A href="#middle">
3010 man-in-the-middle attack</A> if used without authentication.) We
3011 currently support two authentication methods:
3013 <LI>using shared secrets stored in <A href="manpage.d/ipsec.secrets.5.html">
3014 ipsec.secrets</A>.</LI>
3015 <LI>RSA <A href="#public">public key</A> authentication, with public
3016 keys for other machines in <A href="manpage.d/ipsec.conf.5.html">
3017 ipsec.conf</A> and our machine's private key in <A href="manpage.d/ipsec.secrets.5.html">
3018 ipsec.secrets</A>.</LI>
3022 <P><A href="#manual"> Manually keyed</A> connections provide weaker
3023 security than <A href="#auto">automatically keyed</A> connections. An
3024 opponent who gets a key gets all data encrypted by it. We discuss using <A
3025 href="#prodman">manual keying in production</A> below, but this is <STRONG>
3026 not recommended</STRONG> except in special circumstances, such as
3027 needing to communicate with some implementation that offers no
3028 auto-keyed mode compatible with FreeS/WAN. Manual keying is useful for
3030 <P> With automatically-(re)-keyed connections, the keys change often so
3031 an opponent who gets one key does not get a large amount of data. An
3032 opponent who gets a shared secret, or your private key if public key
3033 authentication is used, does not automatically gain access to any
3034 encryption keys or any data. Once your authentication mechanism has
3035 been subverted you have no way to prevent the attacker getting keys and
3036 data, but the attacker still has to work for them.</P>
3037 <H4><A name="auto-auth">Authentication methods for auto-keying</A></H4>
3038 <P> The IKE protocol which Pluto uses to negotiate connections between
3039 gateways must use some form of authentication of peers. A gateway must
3040 know who it is talking to before it can create a secure connection. We
3041 currently support two methods for this authentication:</P>
3043 <LI>shared secrets</LI>
3044 <LI>RSA authentication</LI>
3046 <P> See our <A href="#patch">links section</A> for information on
3047 user-contributed patches which provide a third mechanism:</P>
3049 <LI>authentication with <A href="#X509">x.509</A> certificates</LI>
3051 <P> As a long-term goal, FreeS/WAN plans to support distribution of
3052 public keys for authentication via <A href="#SDNS">secure DNS</A>. This
3053 would allow us to support <A href="#carpediem">opportunistic encryption</A>
3054 . Any two FreeS/WAN gateways could provide secure communication,
3055 without either of them having any preset information about the other.</P>
3056 <P>This is <STRONG>not implemented in this release</STRONG>.</P>
3057 <H4><A name="adv-pk">Advantages of public key methods</A></H4>
3058 <P> Authentication with a <A href="#public">public key</A> method such
3059 as <A href="#RSA">RSA</A> has some important advantages over using
3062 <LI>no problem of secure transmission of secrets
3064 <LI>A shared secret must be shared, so you have the problem of
3065 transmitting it securely to the other party. If you get this wrong,
3066 you have no security.</LI>
3067 <LI>With a public key technique, you transmit only your public key.
3068 The system is designed to ensure that it does not matter if an enemy
3069 obtains public keys. The private key never leaves your machine.</LI>
3072 <LI>easier management
3074 <LI>Suppose you have 20 branch offices all connecting to one gateway at
3075 head office, and all using shared secrets. Then the head office admin
3076 has 20 secrets to manage. Each of them must be kept secret not only
3077 from outsiders, but also from 19 of the branch office admins. The
3078 branch office admins have only one secret each to manage.</LI>
3079 <P> If the branch offices need to talk to each other, this becomes
3080 problematic. You need another <NOBR>20*19/2 = 190</NOBR> secrets for
3081 branch-to-branch communication, each known to exactly two branches.
3082 Now all the branch admins have the headache of handling 20 keys, each
3083 shared with exactly one other branch or with head office. </P>
3084 <P> For larger numbers of branches, the number of connections and
3085 secrets increases quadratically and managing them becomes a
3086 nightmare. A 1000-gateway fully connected network needs 499,500
3087 secrets, each known to exactly two players. There are ways to reduce
3088 this problem, for example by introducing a central key server, but
3089 these involve additional communication overheads, more administrative
3090 work, and new threats that must be carefully guarded against.</P>
3093 <LI>With public key techniques, the <EM>only</EM> thing you have to
3094 keep secret is your private key, and <EM>you keep that secret from
3095 everyone</EM>. </LI>
3096 <P> As network size increaes, the number of public keys used increases
3097 linearly with the number of nodes. This still requires careful
3098 administration in large applications, but is nothing like the disaster
3099 of a quadratic increase. On a 1000-gateway network, you have 1000
3100 private keys, each of which must be kept secure on one machine, and
3101 1000 public keys which must be distributed. This is not a trivial
3102 problem, but it is manageable. </P>
3104 <LI>does not require fixed IP addresses
3106 <LI>When shared secrets are used in IPSEC, the responder must be able
3107 to tell which secret to use by looking at the IP address on the
3108 incoming packets. When the other parties do not have a fixed IP
3109 address to be identified by (for example, on nearly all dialup ISP
3110 connections and many cable or ADSL links), this does not work well --
3111 all must share the same secret!</LI>
3112 <LI>When RSA authentication is in use, the initiator can identify
3113 itself by name before the key must be determined. The responder then
3114 checks that the message is signed with the public key corresponding to
3118 <P>There is also a disadvantage:</P>
3120 <LI>your private key is a single point of attack, extremely valuable to
3123 <LI>with shared secrets, an attacker who steals your ipsec.secrets
3124 file can impersonate you or try <A href="#middle">man-in-the-middle</A>
3125 attacks, but can only attack connections described in that file</LI>
3126 <LI>an attacker who steals your private key gains the chance to attack
3127 not only existing connections <EM>but also any future connections</EM>
3128 created using that key</LI>
3132 <P>This is partly counterbalanced by the fact that the key is never
3133 transmitted and remains under your control at all times. It is likely
3134 necessary, however, to take account of this in setting security
3135 policy. For example, you should change gateway keys when an
3136 administrator leaves the company, and should change them periodically
3138 <P> Overall, public key methods are <STRONG>more secure, more easily
3139 managed and more flexible</STRONG>. We recommend that they be used for
3140 all connections, unless there is a compelling reason to do otherwise.</P>
3141 <H3><A name="prodsecrets">Using shared secrets in production</A></H3>
3142 <P> Generally, public key methods are preferred for reasons given
3143 above, but shared secrets can be used with no loss of security, just
3144 more work and perhaps more need to take precautions.</P>
3145 <H4><A name="secrets">Putting secrets in ipsec.secrets(5)</A></H4>
3146 <P> If shared secrets are to be used to <A href="#authentication">
3147 authenticate</A> communication for the <A href="#DH">Diffie-Hellman</A>
3148 key exchange in the <A href="#IKE">IKE</A> protocol, then those
3149 secrets must be stored in <VAR>/etc/ipsec.secrets</VAR>. For details,
3150 see the <A href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</A>
3152 <P>A few considerations are vital:</P>
3154 <LI>make the secrets long and unguessable. Since they need not be
3155 remembered by humans, very long ugly strings may be used. We suggest
3156 using our <A href="manpage.d/ipsec_ranbits.8.html">ipsec_ranbits(8)</A>
3157 utility to generate long (128 bits or more) random strings.</LI>
3158 <LI>transmit secrets securely. You have to share them with other
3159 systems, but you lose if they are intercepted and used against you.
3160 Use <A href="#PGP">PGP</A>, <A href="#SSH">SSH</A>, hand delivery of a
3161 floppy disk which is then destroyed, or some other trustworthy method
3162 to deliver them.</LI>
3163 <LI>store secrets securely, in root-owned files with permissions
3165 <LI>limit sharing of secrets. Alice, Bob, Carol and Dave may all talk
3166 to each other, but only Alice and Bob should know the secret for an
3167 Alice-Bob link.</LI>
3168 <LI><STRONG>do not share private keys</STRONG>. The private key for RSA
3169 authentication of your system is stored in <A href="manpage.d#ipsec.secrets.5.html">
3170 ipsec.secrets(5)</A>, but it is a different class of secret from the
3171 pre-shared keys used for the "shared secret" authentication. No-one
3172 but you should have the RSA private key. </LI>
3174 <P> Each line has the IP addresses of the two gateways plus the secret.
3175 It should look something like this:</P>
3177 10.0.0.1 11.0.0.1 : PSK "jxTR1lnmSjuj33n4W51uW3kTR55luUmSmnlRUuWnkjRj3UuTV4T3USSu23Uk55nWu5TkTUnjT"
3179 <P><VAR> PSK</VAR> indicates the use of a <STRONG>p</STRONG>re-<STRONG>s</STRONG>
3180 hared <STRONG> k</STRONG>ey. The quotes and the whitespace shown are
3182 <P> You can use any character string as your secret. For security, it
3183 should be both long and extremely hard to guess. We provide a utility
3184 to generate such strings, <A href="manpage.d/ipsec_ranbits.8.html">
3185 ipsec_ranbits(8)</A>. </P>
3186 <P> You want the same secret on the two gateways used, so you create a
3187 line with that secret and the two gateway IP addresses. The
3188 installation process supplies an example secret, useful <EM>only</EM>
3189 for testing. You must change it for production use.</P>
3190 <H4><A name="securing.secrets">File security</A></H4>
3191 <P> You must deliver this file, or the relevant part of it, to the
3192 other gateway machine by some <STRONG>secure</STRONG> means. <EM>Don't
3193 just FTP or mail the file!</EM> It is vital that the secrets in it
3194 remain secret. An attacker who knew those could easily have <EM>all the
3195 data on your "secure" connection</EM>.</P>
3196 <P> This file must be owned by root and should have permissions <VAR>
3197 rw-------</VAR>.</P>
3198 <H4><A name="notroadshared">Shared secrets for road warriors</A></H4>
3199 <P> You can use a shared secret to support a single road warrior
3200 connecting to your gateway, and this is a reasonable thing to do in
3201 some circumstances. Public key methods have advantages, discussed <A href="#choose">
3202 above</A>, but they are not critical in this case.</P>
3203 <P> To do this, the line in ipsec.secrets(5) is something like: </P>
3205 10.0.0.1 0.0.0.0 : PSK "jxTR1lnmSjuj33n4W51uW3kTR55luUmSmnlRUuWnkjRj3UuTV4T3USSu23Uk55nWu5TkTUnjT"
3207 where the <VAR>0.0.0.0</VAR> means that any IP address is acceptable.
3208 <P><STRONG> For more than one road warrior, shared secrets are <EM>not</EM>
3209 recommended.</STRONG> If shared secrets are used, then when the
3210 responder needs to look up the secret, all it knows about the sender is
3211 an IP address. This is fine if the sender is at a fixed IP address
3212 specified in the config file. It is also fine if only one road warrior
3213 uses the wildcard <VAR>0.0.0.0</VAR> address. However, if you have more
3214 than one road warrior using shared secret authentication, then they
3215 must all use that wildcard and therefore <STRONG>all road warriors
3216 using PSK autentication must use the same secret</STRONG>. Obviously,
3217 this is insecure. </P>
3218 <P><STRONG> For multiple road warriors, use public key authentication.</STRONG>
3219 Each roadwarrior can then have its own identity (our <VAR>leftid=</VAR>
3220 or <VAR>rightid=</VAR> parameters), its own public/private key pair,
3221 and its own secure connection. </P>
3222 <H3><A name="prodman">Using manual keying in production</A></H3>
3223 <P> Generally, <A href="#auto">automatic keying</A> is preferred over <A href="#manual">
3224 manual keying</A> for production use because it is both easier to
3225 manage and more secure. Automatic keying frees the admin from much of
3226 the burden of managing keys securely, and can provide <A href="#PFS">
3227 perfect forward secrecy</A>.</P>
3228 <P> However, it is possible to use manual keying in production if that
3229 is what you want to do. This might be necessary, for example, in order
3230 to interoperate with some device that either does not provide automatic
3231 keying or provides it in some version we cannot talk to.</P>
3232 <P> Note that with manual keying <STRONG>all security rests with the
3233 keys</STRONG>. If an adversary acquires your keys, you've had it. He or
3234 she can read everything ever sent with those keys, including old
3235 messages he or she may have archived. You need to <STRONG>be really
3236 paranoid about keys</STRONG> if you're going to rely on manual keying
3237 for anything important.</P>
3239 <LI>keep keys in files with 600 permissions, owned by root</LI>
3240 <LI>be extremely careful about security of your gateway systems.
3241 Anyone who breaks into a gateway and gains root privileges can get
3242 all your keys and read everything ever encrypted with those keys, both
3243 old messages he has archived and any new ones you may send. </LI>
3244 <LI>change keys regularly. This can be a considerable bother, (and
3245 provides an excellent reason to consider automatic keying instead),
3246 but it is <EM>absolutely essential</EM> for security. Consider a
3247 manually keyed system in which you leave the same key in place for
3250 <LI>an attacker can have a very large sample of text sent with that
3251 key to work with. This makes various cryptographic attacks much more
3252 likely to succeed. </LI>
3253 <LI>The chances of the key being compromised in some non-cryptographic
3254 manner -- a spy finds it on a discarded notepad, someone breaks into
3255 your server or your building and steals it, a staff member is bribed,
3256 tricked, seduced or coerced into revealing it, etc. -- also increase
3258 <LI>a successful attacker can read everything ever sent with that key.
3259 This makes any successful attack extremely damaging. </LI>
3261 It is clear that you must change keys often to have any useful
3262 security. The only question is how often. </LI>
3263 <LI>use <A href="#PGP">PGP</A> or <A href="#SSH">SSH</A> for all key
3265 <LI>don't edit files with keys in them when someone can look over your
3267 <LI>worry about network security; could someone get keys by snooping
3268 packets on the LAN between your X desktop and the gateway?</LI>
3269 <LI>lock up your backup tapes for the gateway system</LI>
3270 <LI>... and so on</LI>
3272 <P> Linux FreeS/WAN provides some facilities to help with this. In
3273 particular, it is good policy to <STRONG>keep keys in separate files</STRONG>
3274 so you can edit configuration information in /etc/ipsec.conf without
3275 exposing keys to "shoulder surfers" or network snoops. We support this
3276 with the <VAR>also=</VAR> and <VAR>include</VAR> syntax in <A href="manpage.d/ipsec_conf.5.html">
3277 ipsec.conf(5)</A>.</P>
3278 <P> See the last example in our <A href="examples">examples</A> file.
3279 In the /etc/ipsec.conf <VAR>conn samplesep</VAR> section, it has the
3284 <P> which tells the "ipsec manual" script to insert the configuration
3285 description labelled "samplesep-keys" if it can find it. The
3286 /etc/ipsec.conf file must also have a line such as:</P>
3288 include ipsec.*.conf
3290 <P> which tells it to read other files. One of those other files then
3291 might contain the additional data:</P>
3296 espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
3297 espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf
3299 <P> The first line matches the label in the "also=" line, so the
3300 indented lines are inserted. The net effect is exactly as if the
3301 inserted lines had occurred in the original file in place of the
3302 "also=" line.</P>
3303 <P>Variables set here are:</P>
3306 <DD>A number needed by the manual keying code. Any 3-digit hex number
3307 will do, but if you have more than one manual connection then <STRONG>
3308 spi must be different</STRONG> for each connection.</DD>
3310 <DD>Options for <A href="#ESP">ESP</A> (Encapsulated Security Payload),
3311 the usual IPSEC encryption mode. Settings here are for <A href="#encryption">
3312 encryption</A> using <A href="#3DES">triple DES</A> and <A href="#authentication">
3313 authentication</A> using <A href="#MD5">MD5</A>. Note that encryption
3314 without authentication should not be used; it is insecure.</DD>
3316 <DD>Key for ESP encryption. Here, a 192-bit hex number for triple DES.</DD>
3318 <DD>Key for ESP authentication. Here, a 128-bit hex number for MD5. </DD>
3320 <P><STRONG> Note</STRONG> that the <STRONG>example keys we supply</STRONG>
3321 are intended <STRONG>only for testing</STRONG>. For real use, you
3322 should go to automatic keying. If that is not possible, create your own
3323 keys for manual mode and keep them secret </P>
3324 <P>Of course, any files containing keys <STRONG>must</STRONG> have 600
3325 permissions and be owned by root.</P>
3326 <P> If you connect in this way to multiple sites, we recommend that you
3327 keep keys for each site in a separate file and adopt some naming
3328 convention that lets you pick them all up with a single "include"
3329 line. This minimizes the risk of losing several keys to one error or
3330 attack and of accidentally giving another site admin keys which he or
3331 she has no business knowing.</P>
3332 <P>Also note that if you have multiple manually keyed connections on a
3333 single machine, then the <VAR>spi</VAR> parameter must be different
3334 for each one. Any 3-digit hex number is OK, provided they are
3335 different for each connection. We reserve the range 0x100 to 0xfff for
3336 manual connections. Pluto assigns SPIs from 0x1000 up for
3337 automatically keyed connections.</P>
3338 <P>If <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A> contains
3339 keys for manual mode connections, then it too must have permissions <VAR>
3340 rw-------</VAR>. We recommend instead that, if you must manual keying
3341 in production, you keep the keys in separate files.</P>
3342 <P> Note also that <A href="manpage.d/ipsec.conf.5.html">ipsec.conf</A>
3343 is installed with permissions <VAR>rw-r--r--</VAR>. If you plan to use
3344 manually keyed connections for anything more than initial testing, you <B>
3347 <LI>either change permissions to <VAR>rw-------</VAR></LI>
3348 <LI>or store keys separately in secure files and access them via
3349 include statements in <A href="manpage.d/ipsec.conf.5.html">ipsec.conf</A>
3352 <P> We recommend the latter method for all but the simplest
3355 <H4><A name="ranbits">Creating keys with ranbits</A></H4>
3356 <P>You can create new <A href="#random">random</A> keys with the <A href="manpage.d/ipsec_ranbits.8.html">
3357 ranbits(8)</A> utility. For example, the commands:</P>
3359 ipsec ranbits 192 > temp
3360 ipsec ranbits 128 >> temp</PRE>
3361 <P>create keys in the sizes needed for our default algorithms:</P>
3363 <LI>192-bit key for <A href="#3DES">3DES</A> encryption
3364 <BR> (only 168 bits are used; parity bits are ignored)</LI>
3365 <LI>128-bit key for keyed <A href="#MD5">MD5</A> authentication</LI>
3367 <P>If you want to use <A href="#SHA">SHA</A> instead of <A href="#MD5">
3368 MD5</A>, that requires a 160-bit key</P>
3369 <P>Note that any <STRONG>temporary files</STRONG> used must be kept <STRONG>
3370 secure</STRONG> since they contain keys. That is the reason for the
3371 umask command above. The temporary file should be deleted as soon as
3372 you are done with it. You may also want to change the umask back to
3373 its default value after you are finished working on keys.</P>
3374 <P>The ranbits utility may pause for a few seconds if not enough
3375 entropy is available immediately. See ipsec_ranbits(8) and random(4)
3376 for details. You may wish to provide some activity to feed entropy
3377 into the system. For example, you might move the mouse around, type
3378 random characters, or do <VAR> du /usr > /dev/null</VAR> in the
3380 <H3><A name="boot">Setting up connections at boot time</A></H3>
3381 <P>You can tell the system to set up connections automatically at boot
3382 time by putting suitable stuff in /etc/ipsec.conf on both systems. The
3383 relevant section of the file is labelled by a line reading <VAR>config
3385 <P>Details can be found in the <A href="manpage.d/ipsec.conf.5.html">
3386 ipsec.conf(5)</A> man page. We also provide a file of <A href="examples">
3387 example configurations</A>.</P>
3388 <P>The most likely options are something like:</P>
3391 <DT>interfaces="ipsec0=eth0 ipsec1=ppp0"</DT>
3392 <DD>Tells KLIPS which interfaces to use. Up to four interfaces numbered
3393 ipsec[0-3] are supported. Each interface can support an arbitrary
3394 number of tunnels. </DD>
3395 <P>Note that for PPP, you give the ppp[0-9] device name here, not the
3396 underlying device such as modem (or eth1 if you are using PPPoE).</P>
3397 <DT>interfaces=%defaultroute</DT>
3398 <DD>Alternative setting, useful in simple cases. KLIPS will pick up
3399 both its interface and the next hop information from the settings of
3400 the Linux default route.</DD>
3401 <DT>forwardcontrol=no</DT>
3402 <DD>Normally "no". Set to "yes" if the IP forwarding option is disabled
3403 in your network configuration. (This can be set as a kernel
3404 configuration option or later. e.g. on Redhat, it's in
3405 /etc/sysconfig/network and on SuSE you can adjust it with Yast.) Linux
3406 FreeS/WAN will then enable forwarding when starting up and turn it off
3407 when going down. This is used to ensure that no packets will be
3408 forwarded before IPSEC comes up and takes control.</DD>
3409 <DT>syslog=daemon.error</DT>
3410 <DD>Used in messages to the system logging daemon (syslogd) to specify
3411 what type of software is sending the messages. If the settings are
3412 "daemon.error" as in our example, then syslogd treats the messages as
3413 error messages from a daemon. </DD>
3414 <P>Note that <A href="#Pluto">Pluto</A> does not currently pay
3415 attention to this variable. The variable controls setup messages only.</P>
3416 <DT>klipsdebug=</DT>
3417 <DD>Debug settings for <A href="#KLIPS">KLIPS</A>.</DD>
3418 <DT>plutodebug=</DT>
3419 <DD>Debug settings for <A href="#Pluto">Pluto</A>.</DD>
3420 <DT>... for both the above DEBUG settings</DT>
3421 <DD>Normally, leave empty as shown above for no debugging output.
3422 <BR> Use "all" for maximum information.
3423 <BR> See ipsec_klipsdebug(8) and ipsec_pluto(8) man page for other
3424 options. Beware that if you set /etc/ipsec.conf to enable debug
3425 output, your system's log files may get large quickly.</DD>
3426 <DT>dumpdir=/safe/directory</DT>
3427 <DD>Normally, programs started by ipsec setup don't crash. If they do,
3428 by default, no core dump will be produced because such dumps would
3429 contain secrets. If you find you need to debug such crashes, you can
3430 set dumpdir to the name of a directory in which to collect the core
3432 <DT>manualstart=</DT>
3433 <DD>List of manually keyed connections to be automatically started at
3434 boot time. Useful for testing, but not for long term use. Connections
3435 which are automatically started should also be automatically re-keyed.</DD>
3437 <DD>Whether to start <A href="#Pluto">Pluto</A> when ipsec startup is
3439 <BR> This parameter is optional and defaults to "yes" if not present. </DD>
3440 <P>"yes" is strongly recommended for production use so that the keying
3441 daemon (Pluto) will automatically re-key the connections regularly.
3442 The ipsec-auto parameters ikelifetime, ipseclifetime and reykeywindow
3443 give you control over frequency of rekeying.</P>
3444 <DT>plutoload="reno-van reno-adam reno-nyc"</DT>
3445 <DD>List of tunnels (by name, e.g. fred-susan or reno-van in our
3446 examples) to be loaded into Pluto's internal database at startup. In
3447 this example, Pluto loads three tunnels into its database when it is
3449 <P>If plutoload is "%search", Pluto will load any connections whose
3450 description includes "auto=add" or "auto=start".</P>
3451 <DT>plutostart="reno-van reno-adam reno-nyc"</DT>
3452 <DD>List of tunnels to attempt to negotiate when Pluto is started. </DD>
3453 <P>If plutostart is "%search", Pluto will start any connections whose
3454 description includes "auto=start".</P>
3455 <P>Note that, for a connection intended to be permanent, <STRONG>both
3456 gateways should be set try to start</STRONG> the tunnel. This allows
3457 quick recovery if either gateway is rebooted or has its IPSEC
3458 restarted. If only one gateway is set to start the tunnel and the
3459 other gateway restarts, the tunnel may not be rebuilt.</P>
3460 <DT>plutowait=no</DT>
3461 <DD>Controls whether Pluto waits for one tunnel to be established
3462 before starting to negotiate the next. You might set this to "yes"
3464 <LI>if your gateway is a very limited machine and you need to conserve
3466 <LI>for debugging; the logs are clearer if only one connection is
3467 brought up at a time</LI>
3469 For a busy and resource-laden production gateway, you likely want "no"
3470 so that connections are brought up in parallel and the whole process
3471 takes less time.</DD>
3473 <P>The example assumes you are at the Reno office and will use IPSEC to
3474 Vancouver, New York City and Amsterdam.</P>
3475 <H3><A name="multitunnel">Multiple tunnels between the same two gateways</A>
3477 <P>Consider a pair of subnets, each with a security gateway, connected
3478 via the Internet:</P>
3480 192.168.100.0/24 left subnet
3484 101.101.101.101 left
3486 101.101.101.1 left next hop
3488 202.202.202.1 right next hop
3490 202.202.202.202 right
3494 192.168.200.0/24 right subnet
3496 <P>A tunnel specification such as:</P>
3498 conn northnet-southnet
3499 left=101.101.101.101
3500 leftnexthop=101.101.101.1
3501 leftsubnet=192.168.100.0/24
3503 right=202.202.202.202
3504 rightnexthop=202.202.202.1
3505 rightsubnet=192.168.200.0/24
3508 will allow machines on the two subnets to talk to each other. You
3509 might test this by pinging from polarbear (192.168.100.7) to penguin
3511 <P> However, <STRONG>this does not cover other traffic you might want
3512 to secure</STRONG>. To handle all the possibilities, you might also
3513 want these connection descriptions:</P>
3515 conn northgate-southnet
3516 left=101.101.101.101
3517 leftnexthop=101.101.101.1
3518 right=202.202.202.202
3519 rightnexthop=202.202.202.1
3520 rightsubnet=192.168.200.0/24
3523 conn northnet-southgate
3524 left=101.101.101.101
3525 leftnexthop=101.101.101.1
3526 leftsubnet=192.168.100.0/24
3528 right=202.202.202.202
3529 rightnexthop=202.202.202.1
3531 <P> Without these, neither gateway can do IPSEC to the remote subnet.
3532 There is no IPSEC tunnel or eroute set up for the traffic.</P>
3533 <P> In our example, with the non-routable 192.168.* addresses used,
3534 packets would simply be discarded. In a different configuration, with
3535 routable addresses for the remote subnet, <STRONG>they would be sent
3536 unencrypted</STRONG> since there would be no IPSEC eroute and there
3537 would be a normal IP route.</P>
3538 <P> You might also want:</P>
3540 conn northgate-southgate
3541 left=101.101.101.101
3542 leftnexthop=101.101.101.1
3543 right=202.202.202.202
3544 rightnexthop=202.202.202.1
3546 <P> This is required if you want the two gateways to speak IPSEC to
3548 <P> This requires a lot of duplication of details. Judicious use of <VAR>
3549 also=</VAR> and <VAR>include</VAR> can reduce this problem.</P>
3550 <P> Note that, while FreeS/WAN supports all four tunnel types, not all
3551 implementations do. In particular, some versions of Windows 2000 and
3552 the freely downloadable version of PGP provide only "client"
3553 functionality. You cannot use them as gateways with a subnet behind
3554 them. To get that functionality, you must upgrade to Windows 2000
3555 server or the commercially available PGP products. </P>
3556 <H4><A name="advroute">One tunnel plus advanced routing</A></H4>
3557 It is also possible to use the new routing features in 2.2 and later
3558 kernels to avoid most needs for multple tunnels. Here is one mailing
3559 list message on the topic:
3561 Subject: Re: linux-ipsec: IPSec packets not entering tunnel?
3562 Date: Mon, 20 Nov 2000
3563 From: Justin Guyett <jfg@sonicity.com>
3565 On Mon, 20 Nov 2000, Claudia Schmeing wrote:
3568 > "home" "office"
3569 > 10.92.10.0/24 ---- 24.93.85.110 ========= 216.175.164.91 ---- 10.91.10.24/24
3571 > I've created all four tunnels, and can ping to test each of them,
3572 > *except* homegate-officenet.
3574 I keep wondering why people create all four tunnels. Why not route
3575 traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
3576 And 99% of the time you don't need to access "office" directly, which
3577 means you can eliminate all but the subnet<->subnet connection.
3579 and FreeS/WAN technical lead Henry Spencer's comment:
3581 > I keep wondering why people create all four tunnels. Why not route
3582 > traffic generated from home to 10.91.10.24/24 out ipsec0 with iproute2?
3584 This is feasible, given some iproute2 attention to source addresses, but
3585 it isn't something we've documented yet... (partly because we're still
3586 making some attempt to support 2.0.xx kernels, which can't do this, but
3587 mostly because we haven't caught up with it yet).
3589 > And 99% of the time you don't need to access "office" directly, which
3590 > means you can eliminate all but the subnet<->subnet connection.
3592 Correct in principle, but people will keep trying to ping to or from the
3593 gateways during testing, and sometimes they want to run services on the
3594 gateway machines too.
3597 <H3><A name="biggate">Many tunnels from a single gateway</A></H3>
3598 <P> FreeS/WAN allows a single gateway machine to build tunnels to many
3599 others. There may, however, be some problems for large numbers as
3600 indicated in this message from the mailing list:</P>
3602 Subject: Re: Maximum number of ipsec tunnels?
3603 Date: Tue, 18 Apr 2000
3604 From: "John S. Denker" <jsd@research.att.com>
3606 Christopher Ferris wrote:
3608 >> What are the maximum number ipsec tunnels FreeS/WAN can handle??
3610 Henry Spencer wrote:
3612 >There is no particular limit. Some of the setup procedures currently
3613 >scale poorly to large numbers of connections, but there are (clumsy)
3614 >workarounds for that now, and proper fixes are coming.
3616 1) "Large" numbers means anything over 50 or so. I routinely run boxes
3617 with about 200 tunnels. Once you get more than 50 or so, you need to worry
3618 about several scalability issues:
3620 a) You need to put a "-" sign in syslogd.conf, and rotate the logs daily
3623 b) Processor load per tunnel is small unless the tunnel is not up, in which
3624 case a new half-key gets generated every 90 seconds, which can add up if
3625 you've got a lot of down tunnels.
3627 c) There's other bits of lore you need when running a large number of
3628 tunnels. For instance, systematically keeping the .conf file free of
3629 conflicts requires tools that aren't shipped with the standard freeswan
3632 d) The pluto startup behavior is quadratic. With 200 tunnels, this eats up
3633 several minutes at every restart. I'm told fixes are coming soon.
3635 2) Other than item (1b), the CPU load depends mainly on the size of the
3636 pipe attached, not on the number of tunnels.
3638 <P> It is worth noting that item (1b) applies only to repeated attempts
3639 to re-key a data connection (IPSEC SA, Phase 2) over an established
3640 keying connection (ISAKMP SA, Phase 1). There are two ways to reduce
3641 this overhead using settings in <A href="manpage.d#ipsec.conf.5.html">
3642 ipsec.conf(5)</A>: </P>
3644 <LI>set <VAR>keyingtries</VAR> to some small value to limit repetitions </LI>
3645 <LI>set <VAR>keylife</VAR> to a short time so that a failing data
3646 connection will be cleaned up when the keying connection is reset. </LI>
3648 <P> The overheads for establishing keying connections (ISAKMP SAs,
3649 Phase 1) are lower because for these Pluto does not perform expensive
3650 operations before receiving a reply from the peer.</P>
3651 <H3><A name="extruded">Extruded Subnets</A></H3>
3652 <P>What we call <A href="#extruded">extruded subnets</A> are a special
3653 case of <A href="#VPN">VPNs</A>.</P>
3654 <P>If your buddy has some unused IP addresses, in his subnet far off at
3655 the other side of the Internet, he can loan them to you... provided
3656 that the connection between you and him is fast enough to carry all
3657 the traffic between your machines and the rest of the Internet. In
3658 effect, he "extrudes" a part of his address space over the network to
3659 you, with your Internet traffic appearing to originate from behind his
3660 Internet gateway.</P>
3661 <P>Suppose your friend has a.b.c.0/24 and wants to give you
3662 a.b.c.240/28. The initial situation is:</P>
3663 <PRE> subnet gateway Internet
3664 a.b.c.0/24 a.b.c.1 p.q.r.s</PRE>
3665 where anything from the Internet destined for any machine in
3666 a.b.c.0/24 is routed via p.q.r.s and that gateway knows what to do
3668 <P> Of course it is quite normal for various smaller subnets to exist
3669 behind your friend's gateway. For example, your friend's company might
3670 have a.b.c.16/28=development, a.b.c.32/28=marketing and so on. The
3671 Internet neither knows not cares about this; it just delivers packets
3672 to the p.q.r.s and lets the gateway do whatever needs to be done from
3674 <P> What we want to do is take a subnet, perhaps a.b.c.240/28, out of
3675 your friend's physical location <EM>while still having your friend's
3676 gateway route to it</EM>. As far as the Internet is concerned, you
3677 remain behind that gateway.</P>
3678 <PRE> subnet gateway Internet your gate extruded
3680 a.b.c.0/24 a.b.c.1 p.q.r.s d.e.f.g a.b.c.240/28
3682 ========== tunnel ==========</PRE>
3683 <P>The extruded addresses have to be a complete subnet.</P>
3684 <P>In our example, the friend's security gateway is also his Internet
3685 gateway, but this is not necessary. As long as all traffic from the
3686 Internet to his addresses passes through the Internet gate, the
3687 security gate could be a machine behind that. The IG would need to
3688 route all traffic for the extruded subnet to the SG, and the SG could
3689 handle the rest.</P>
3690 <P>First, configure your subnet using the extruded addresses. Your
3691 security gateway's interface to your subnet needs to have an extruded
3692 address (possibly using a Linux <A href="#virtual">virtual interface</A>
3693 , if it also has to have a different address). Your gateway needs to
3694 have a route to the extruded subnet, pointing to that interface. The
3695 other machines at your site need to have addresses in that subnet, and
3696 default routes pointing to your gateway.</P>
3697 <P>If any of your friend's machines need to talk to the extruded
3698 subnet, <EM> they</EM> need to have a route for the extruded subnet,
3699 pointing at his gateway.</P>
3700 <P>Then set up an IPSEC subnet-to-subnet tunnel between your gateway
3701 and his, with your subnet specified as the extruded subnet, and his
3702 subnet specified as "0.0.0.0/0". Do it with manual keying first for
3703 testing, and then with automatic keying for production use.</P>
3704 <P>The tunnel description should be:</P>
3708 leftsubnet=0.0.0.0/0
3710 rightsubnet=a.b.c.0/28
3712 <P> If either side was doing firewalling for the extruded subnet before
3713 the IPSEC connection is set up, ipsec_manual and ipsec_auto need to
3714 know about that (via the {left|right}firewall parameters) so that it
3715 can be overridden for the duration of the connection.</P>
3716 <P> And it all just works. Your SG routes traffic for 0.0.0.0/0 --
3717 that is, the whole Internet -- through the tunnel to his SG, which
3718 then sends it onward as if it came from his subnet. When traffic for
3719 the extruded subnet arrives at his SG, it gets sent through the tunnel
3720 to your SG, which passes it to the right machine.</P>
3721 <P> Remember that when ipsec_manual or ipsec_auto takes a connection
3722 down, it <EM> does not undo the route</EM> it made for that connection.
3723 This lets you take a connection down and bring up a new one, or a
3724 modified version of the old one, without having to rebuild the route
3725 it uses and without any risk of packets which should use IPSEC
3726 accidentally going out in the clear. Because the route always points
3727 into KLIPS, the packets will always go there. Because KLIPS
3728 temporarily has no idea what to do with them (no eroute for them),
3729 they will be discarded.</P>
3730 <P>If you <EM>do</EM> want to take the route down, this is what the
3731 "unroute" operation in manual and auto is for. Just do an unroute
3732 after doing the down.</P>
3733 <P>Note that the route for a connection may have replaced an existing
3734 non-IPSEC route. Nothing in Linux FreeS/WAN will put that pre-IPSEC
3735 route back. If you need it back, you have to create it with the route
3737 <H3><A name="roadvirt">Road Warrior with virtual IP address</A></H3>
3738 <P> Here is a mailing list message about another way to configure for
3739 road warrior support:</P>
3741 Subject: Re: linux-ipsec: understanding the vpn
3742 Date: Thu, 28 Oct 1999 10:43:22 -0400
3743 From: Irving Reid <irving@nevex.com>
3745 > local-------linux------internet------mobile
3749 > now when the mobile user connects to the linux box
3750 > it is given a virtual IP address, i have configured it to
3751 > be in the 10.x.x.x range. mobile user and linux box
3752 > have a tunnel between them with these IP addresses.
3754 > Uptil this all is fine.
3756 If it is possible to configure your mobile client software *not* to
3757 use a virtual IP address, that will make your life easier. It is easier
3758 to configure FreeS/WAN to use the actual address the mobile user gets
3761 Unfortunately, some Windows clients don't let you choose.
3763 > what i would like to know is that how does the mobile
3764 > user communicate with other computers on the local
3765 > LAN , of course with the vpn ?
3767 > what IP address should the local LAN
3768 > computers have ? I guess their default gateway
3769 > should be the linux box ? and does the linux box need
3770 > to be a 2 NIC card box or one is fine.
3772 As someone else stated, yes, the Linux box would usually be the default
3773 IP gateway for the local lan.
3777 If you mobile user has software that *must* use a virtual IP address,
3778 the whole picture changes. Nobody has put much effort into getting
3779 FreeS/WAN to play well in this environment, but here's a sketch of one
3782 Local Lan 1.0.0.0/24
3784 +- Linux FreeS/WAN 1.0.0.2
3794 Virtual Address: 1.0.0.3
3796 Note that the Local Lan network (1.0.0.x) can be registered, routable
3799 Now, the Mobile User sets up an IPSec security association with the
3800 Linux box (1.0.0.2); it should ESP encapsulate all traffic to the
3801 network 1.0.0.x **EXCEPT** UDP port 500. 500/udp is required for the key
3802 negotiation, which needs to work outside of the IPSec tunnel.
3804 On the Linux side, there's a bunch of stuff you need to do by hand (for
3805 now). FreeS/WAN should correctly handle setting up the IPSec SA and
3806 routes, but I haven't tested it so this may not work...
3808 The FreeS/WAN conn should look like:
3812 rightsubnet=1.0.0.0/24
3813 rightnexthop=1.0.0.1
3814 left=0.0.0.0 # The infamous "road warrior"
3815 leftsubnet=1.0.0.3/32
3817 Note that the left subnet contains *only* the remote host's virtual
3820 Hopefully the routing table on the FreeS/WAN box ends up looking like
3824 Kernel IP routing table
3825 Destination Gateway Genmask Flags MSS Window irtt Iface
3826 1.0.0.0 0.0.0.0 255.255.255.0 U 1500 0 0 eth0
3827 127.0.0.0 0.0.0.0 255.0.0.0 U 3584 0 0 lo
3828 0.0.0.0 1.0.0.1 0.0.0.0 UG 1500 0 0 eth0
3829 1.0.0.3 1.0.0.1 255.255.255.255 UG 1433 0 0 ipsec0
3831 So, if anybody sends a packet for 1.0.0.3 to the Linux box, it should
3832 get bundled up and sent through the tunnel. To get the packets for
3833 1.0.0.3 to the Linux box in the first place, you need to use "proxy
3836 How this works is: when a host or router on the local Ethernet segment
3837 wants to send a packet to 1.0.0.3, it sends out an Ethernet level
3838 broadcast "ARP request". If 1.0.0.3 was on the local LAN, it would
3839 reply, saying "send IP packets for 1.0.0.3 to my Ethernet address".
3841 Instead, you need to set up the Linux box so that _it_ answers ARP
3842 requests for 1.0.0.3, even though that isn't its IP address. That
3843 convinces everyone else on the lan to send 1.0.0.3 packets to the Linux
3844 box, where the usual FreeS/WAN processing and routing take over.
3846 % arp -i eth0 -s 1.0.0.3 -D eth0 pub
3848 This says, if you see an ARP request on interface eth0 asking for
3849 1.0.0.3, respond with the Ethernet address of interface eth0.
3851 Now, as I said at the very beginning, if it is *at all* possible to
3852 configure your client *not* to use the virtual IP address, you can avoid
3853 this whole mess.</PRE>
3854 <H3><A name="dynamic">Dynamic Network Interfaces</A></H3>
3855 <P>Sometimes you have to cope with a situation where the network
3856 interface(s) aren't all there at boot. The common example is notebooks
3858 <H4><A name="basicdyn">Basics</A></H4>
3859 <P>The key issue here is that the <VAR>config setup</VAR> section of
3860 the <VAR> /etc/ipsec.conf</VAR> configuration file lists the connection
3861 between ipsecN and hardware interfaces, in the <VAR>interfaces=</VAR>
3862 variable. At any time when <VAR>ipsec setup start</VAR> or <VAR>ipsec
3863 setup restart</VAR> is run this variable <STRONG>must</STRONG>
3864 correspond to the current real situation. More precisely, it <STRONG>
3865 must not</STRONG> mention any hardware interfaces which don't
3866 currently exist. The difficulty is that an <VAR>ipsec setup start</VAR>
3867 command is normally run at boot time so interfaces that are not up
3868 then are mis-handled.</P>
3869 <H4><A name="bootdyn">Boot Time</A></H4>
3870 <P> Normally, an <VAR>ipsec setup start</VAR> is run at boot time.
3871 However, if the hardware situation at boot time is uncertain, one of
3872 two things must be done.</P>
3874 <LI>One possibility is simply not to have IPSEC brought up at boot
3875 time. To do this: </LI>
3876 <PRE> chkconfig --level 2345 ipsec off</PRE>
3877 That's for modern Red Hats or other Linuxes with chkconfig. Systems
3878 which lack this will require fiddling with symlinks in /etc/rc.d/rc?.d
3880 <LI>Another possibility is to bring IPSEC up with no interfaces, which
3881 is less aesthetically satisfying but simpler. Just put </LI>
3885 in the configuration file. KLIPS and Pluto will be started, but won't
3887 <H4><A name="changedyn">Change Time</A></H4>
3888 <P>When the hardware *is* in place, IPSEC has to be made aware of it.
3889 Someday there may be a nice way to do this.</P>
3890 <P>Right now, the way to do it is to fix the <VAR>/etc/ipsec.conf</VAR>
3891 file appropriately, so <VAR>interfaces</VAR> reflects the new
3892 situation, and then restart the IPSEC subsystem. This does break any
3893 existing IPSEC connections.</P>
3894 <P>If IPSEC wasn't brought up at boot time, do</P>
3895 <PRE> ipsec setup start</PRE>
3897 <PRE> ipsec setup restart</PRE>
3898 which won't be as quick.
3899 <P>If some of the hardware is to be taken out, before doing that, amend
3900 the configuration file so interfaces no longer includes it, and do</P>
3901 <PRE> ipsec setup restart</PRE>
3902 <P>Again, this breaks any existing connections.</P>
3903 <H3><A name="unencrypted">Unencrypted tunnels</A></H3>
3904 <P> Sometimes you might want to create a tunnel without encryption.
3905 Often this is a bad idea, even if you have some data which need not be
3906 private. See this <A href="#traffic.resist">discussion</A>. </P>
3907 <P> The IPSEC protocols provide two ways to do build such tunnels: </P>
3909 <DT>using ESP with null encryption </DT>
3910 <DD>not supported by FreeS/WAN </DD>
3911 <DT>using <A href="#AH">AH</A> without <A href="#ESP">ESP</A></DT>
3912 <DD>supported for manually keyed connections </DD>
3913 <DD>possible with explicit commands via <A href="manpage.d/ipsec_whack.8.html">
3914 ipsec_whack(8)</A> (see this <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00190.html">
3915 list message</A>) </DD>
3916 <DD>not supported in the <A href="manpage.d/ipsec_auto.8.html">
3917 ipsec_auto(8)</A> scripts. </DD>
3919 One situation in which this comes up is when otherwise some data would
3920 be encrypted twice. Alice wants a secure tunnel from her machine to
3921 Bob's. Since she's behind one security gateway and he's behind another,
3922 part of the tunnel that they build passes through the tunnel that their
3923 site admins have built between the gateways. All of Alice and Bob's
3924 messages are encrypted twice.
3925 <P> There are several ways to handle this.</P>
3927 <LI>Just accept the overhead of double encryption. The site admins
3928 might choose this if any of the following apply:
3930 <LI>policy says encrypt everything (usually, it should) </LI>
3931 <LI>they don't entirely trust Alice and Bob (usually, if they don't
3932 have to, they shouldn't) </LI>
3933 <LI>if they don't feel the saved cycles are worth the time they'd need
3934 to build a non-encrypted tunnel for Alice and Bob's packets (often,
3938 <LI>Use a plain IP-in-IP tunnel. These are not well documented. A good
3939 starting point is in the Linux kernel source tree, in
3940 /usr/src/linux/drivers/net/README.tunnel.</LI>
3941 <LI>Use a manually-keyed AH-only tunnel.</LI>
3943 <P> Note that if Alice and Bob want end-to-end security, they must
3944 build a tunnel end-to-end between their machines or use some other
3945 end-to-end tool such as PGP or SSL that suits their data. The only
3946 question is whether the admins build some special unencrypted tunnel
3947 for those already-encrypted packets. </P>
3949 <H1><A name="manpages">FreeS/WAN manual pages</A></H1>
3950 <P> The various components of Linux FreeS/WAN are of course documented
3951 in standard Unix manual pages, accessible via the man(1) command.</P>
3952 <P> Links here take you to an HTML version of the man pages.</P>
3953 <H2><A name="man.file">Files</A></H2>
3955 <DT><A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></DT>
3956 <DD>IPSEC configuration and connections</DD>
3957 <DT><A href="manpage.d/ipsec.secrets.5.html">ipsec.secrets(5)</A></DT>
3958 <DD>preshared secrets for IKE/IPsec authentication</DD>
3960 <P> These files are also discussed in the <A href="config.html">
3961 configuration</A> section.</P>
3962 <H2><A name="man.command">Commands</A></H2>
3963 <P> Many users will never give most of the FreeS/WAN commands directly.
3964 Configure the files listed above correctly and everything should be
3966 <P> One exception is:</P>
3968 <DT><A href="manpage.d/ipsec_rsasigkey.8.html">ipsec_rsasigkey(8)</A></DT>
3969 <DD>generate <A href="#RSA">RSA</A> keys for use in Pluto authentication</DD>
3973 <LI>These keys are for <STRONG>authentication only</STRONG>. They are <STRONG>
3974 not secure for encryption</STRONG>.</LI>
3975 <LI>The utility uses random(4) as a source of <A href="#random">random
3976 numbers</A>. This may block for some time if there is not enough
3977 activity on the machine to provide the required entropy. You may want
3978 to give it some bogus activity such as random mouse movements or some
3979 command such as <TT>du /usr > dev/null </TT></LI>
3981 <P>The following commands are fairly likely to be used, if only for
3982 testing and status checks:</P>
3984 <DT><A href="manpage.d/ipsec.8.html">ipsec(8)</A></DT>
3985 <DD>invoke IPSEC utilities</DD>
3986 <DT><A href="manpage.d/ipsec_setup.8.html">ipsec_setup(8)</A></DT>
3987 <DD>control IPSEC subsystem</DD>
3988 <DT><A href="manpage.d/ipsec_auto.8.html">ipsec_auto(8)</A></DT>
3989 <DD>control automatically-keyed IPSEC connections</DD>
3990 <DT><A href="manpage.d/ipsec_manual.8.html">ipsec_manual(8)</A></DT>
3991 <DD>take manually-keyed IPSEC connections up and down</DD>
3992 <DT><A href="manpage.d/ipsec_ranbits.8.html">ipsec_ranbits(8)</A></DT>
3993 <DD>generate random bits in ASCII form</DD>
3994 <DT><A href="manpage.d/ipsec_look.8.html">ipsec_look(8)</A></DT>
3995 <DD>show minimal debugging information</DD>
3996 <DT><A href="manpage.d/ipsec_barf.8.html">ipsec_barf(8)</A></DT>
3997 <DD>spew out collected IPSEC debugging information</DD>
3999 <P>The lower-level utilities listed below are normally invoked via
4000 scripts listed above, but they can also be used directly when required.</P>
4002 <DT><A href="manpage.d/ipsec_eroute.8.html">ipsec_eroute(8)</A></DT>
4003 <DD>manipulate IPSEC extended routing tables</DD>
4004 <DT><A href="manpage.d/ipsec_klipsdebug.8.html">ipsec_klipsdebug(8)</A></DT>
4005 <DD>set Klips (kernel IPSEC support) debug features and level</DD>
4006 <DT><A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A></DT>
4007 <DD>IPsec IKE keying daemon</DD>
4008 <DT><A href="manpage.d/ipsec_spi.8.html">ipsec_spi(8)</A></DT>
4009 <DD>manage IPSEC Security Associations</DD>
4010 <DT><A href="manpage.d/ipsec_spigrp.8.html">ipsec_spigrp(8)</A></DT>
4011 <DD>group/ungroup IPSEC Security Associations</DD>
4012 <DT><A href="manpage.d/ipsec_tncfg.8.html">ipsec_tncfg(8)</A></DT>
4013 <DD>associate IPSEC virtual interface with real interface</DD>
4014 <DT><A href="manpage.d/ipsec_whack.8.html">ipsec_whack(8)</A></DT>
4015 <DD>control interface for IPSEC keying daemon</DD>
4017 <H2><A name="man.lib">Library routines</A></H2>
4019 <DT><A href="manpage.d/ipsec_atoaddr.3.html">ipsec_atoaddr(3)</A></DT>
4020 <DT><A href="manpage.d/ipsec_addrtoa.3.html">ipsec_addrtoa(3)</A></DT>
4021 <DD>convert Internet addresses to and from ASCII</DD>
4022 <DT><A href="manpage.d/ipsec_atosubnet.3.html">ipsec_atosubnet(3)</A></DT>
4023 <DT><A href="manpage.d/ipsec_subnettoa.3.html">ipsec_subnettoa(3)</A></DT>
4024 <DD>convert subnet/mask ASCII form to and from addresses</DD>
4025 <DT><A href="manpage.d/ipsec_atoasr.3.html">ipsec_atoasr(3)</A></DT>
4026 <DD>convert ASCII to Internet address, subnet, or range</DD>
4027 <DT><A href="manpage.d/ipsec_rangetoa.3.html">ipsec_rangetoa(3)</A></DT>
4028 <DD>convert Internet address range to ASCII</DD>
4029 <DT>ipsec_atodata(3)</DT>
4030 <DT><A href="manpage.d/ipsec_datatoa.3.html">ipsec_datatoa(3)</A></DT>
4031 <DD>convert binary data from and to ASCII formats</DD>
4032 <DT><A href="manpage.d/ipsec_atosa.3.html">ipsec_atosa(3)</A></DT>
4033 <DT><A href="manpage.d/ipsec_satoa.3.html">ipsec_satoa(3)</A></DT>
4034 <DD>convert IPSEC Security Association IDs to and from ASCII</DD>
4035 <DT><A href="manpage.d/ipsec_atoul.3.html">ipsec_atoul(3)</A></DT>
4036 <DT><A href="manpage.d/ipsec_ultoa.3.html">ipsec_ultoa(3)</A></DT>
4037 <DD>convert unsigned-long numbers to and from ASCII</DD>
4038 <DT><A href="manpage.d/ipsec_goodmask.3.html">ipsec_goodmask(3)</A></DT>
4039 <DD>is this Internet subnet mask a valid one?</DD>
4040 <DT><A href="manpage.d/ipsec_masktobits.3.html">ipsec_masktobits(3)</A></DT>
4041 <DD>convert Internet subnet mask to bit count</DD>
4042 <DT><A href="manpage.d/ipsec_bitstomask.3.html">ipsec_bitstomask(3)</A></DT>
4043 <DD>convert bit count to Internet subnet mask</DD>
4044 <DT><A href="manpage.d/ipsec_optionsfrom.3.html">ipsec_optionsfrom(3)</A>
4046 <DD>read additional ``command-line'' options from file</DD>
4047 <DT><A href="manpage.d/ipsec_subnetof.3.html">ipsec_subnetof(3)</A></DT>
4048 <DD>given Internet address and subnet mask, return subnet number</DD>
4049 <DT><A href="manpage.d/ipsec_hostof.3.html">ipsec_hostof(3)</A></DT>
4050 <DD>given Internet address and subnet mask, return host part</DD>
4051 <DT><A href="manpage.d/ipsec_broadcastof.3.html">ipsec_broadcastof(3)</A>
4053 <DD>given Internet address and subnet mask, return broadcast address</DD>
4056 <H1><A name="firewall">FreeS/WAN and firewalls</A></H1>
4057 <P> FreeS/WAN, or other IPSEC implementations, frequently run on
4058 gateway machines, the same machines running firewall or packet
4059 filtering code. This document discusses the relation between the two.</P>
4060 <H2><A name="packets">IPSEC packets</A></H2>
4061 <P>IPSEC uses three main types of packet:</P>
4063 <DT><A href="#IKE">IKE</A> uses <STRONG>the UDP protocol and port 500</STRONG>
4065 <DD>Unless you are using only (less secure, not recommended) manual
4066 keying, you need IKE to negotiate connection parameters, acceptable
4067 algorithms, key sizes and key setup. IKE handles everything required
4068 to set up, rekey, repair or tear down IPSEC connections.</DD>
4069 <DT><A href="#ESP">ESP</A> is <STRONG>protocol number 50</STRONG></DT>
4070 <DD>This is required for encrypted connections.</DD>
4071 <DT><A href="#AH">AH</A> is <STRONG>protocol number 51</STRONG></DT>
4072 <DD>This can be used where only authentication, not encryption, is
4073 required. That can also be done with ESP and null encryption.</DD>
4075 <P> All of those packets should have appropriate IPSEC gateway
4076 addresses in both the to and from IP header fields. Firewall rules can
4077 check this if you wish, though it is not strictly necessary. This is
4078 discussed in more detail <A href="#unknowngate">later</A>. </P>
4079 <P> IPSEC processing of incoming packets authenticates them then
4080 removes the ESP or AH header and decrypts if necessary. Successful
4081 processing exposes an inner packet which is then delivered back to the
4082 firewall machinery, marked as having arrived on an <VAR>ipsec[0-3]</VAR>
4083 interface. Firewall rules can use that interface label to distinguish
4084 these packets from unencrypted packets which are labelled with the
4085 physical interface they arrived on (or perhaps with a non-IPSEC virtual
4086 interface such as <VAR>ppp0</VAR>).</P>
4087 <P> One of our users sent a mailing list message with a <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00006.html">
4088 diagram</A> of the packet flow. </P>
4089 <H3><A name="noport">ESP and AH do not have ports</A></H3>
4090 <P> Some protocols, such as TCP and UDP, have the notion of ports.
4091 Others protocols, including ESP and AH, do not. Quite a few IPSEC
4092 newcomers have become confused on this point. There are no ports <EM>in</EM>
4093 the ESP or AH protocols, and no ports used <EM>for</EM> them. For
4094 these protocols, <EM>the idea of ports is completely irrelevant</EM>.</P>
4095 <H3><A name="header">Header layout</A></H3>
4096 <P>The protocol numbers for ESP or AH are used in the 'next header'
4097 field of the IP header. On most non-IPSEC packets, that field would
4101 <LI>4 for IP-in-IP encapsulation</LI>
4104 <LI>... or one of about 100 other possibilities listed by <A href="http://www.isi.edu/in-notes/iana/assignments/protocol-numbers">
4107 <P>Each header in the sequence tells what the next header will be.
4108 IPSEC adds headers for ESP or AH near the beginning of the sequence.
4109 The original headers are kept and the 'next header' fields adjusted so
4110 that all headers can be correctly interpreted.</P>
4111 <P>For example, using <STRONG>[</STRONG><STRONG> ]</STRONG> to indicate
4112 data protected by ESP and unintelligible to an eavesdropper between
4115 <LI>a simple packet might have only IP and TCP headers with:
4117 <LI>IP header says next header --> TCP</LI>
4118 <LI>TCP header port number --> which process to send data to</LI>
4122 <LI>with ESP <A href="#transport">transport mode</A> encapsulation,
4123 that packet would have:
4125 <LI>IP header says next header --> ESP</LI>
4126 <LI>ESP header <STRONG>[</STRONG> says next --> TCP</LI>
4127 <LI>TCP header port number --> which process to send data to</LI>
4128 <LI>data <STRONG>]</STRONG></LI>
4130 Note that the IP header is outside ESP protection, visible to an
4131 attacker, and that the final destination must be the gateway.</LI>
4132 <LI>with ESP in <A href="#tunnel">tunnel mode</A>, we might have:
4134 <LI>IP header says next header --> ESP</LI>
4135 <LI>ESP header <STRONG>[</STRONG> says next --> IP</LI>
4136 <LI>IP header says next header --> TCP</LI>
4137 <LI>TCP header port number --> which process to send data to</LI>
4138 <LI>data <STRONG>]</STRONG></LI>
4140 Here the inner IP header is protected by ESP, unreadable by an
4141 attacker. Also, the inner header can have a different IP address than
4142 the outer IP header, so the decrypted packet can be routed from the
4143 IPSEC gateway to a final destination which may be another machine.</LI>
4145 <P> Part of the ESP header itself is encrypted, which is why the <STRONG>
4146 [</STRONG> indicating protected data appears in the middle of some
4147 lines above. The next header field of the ESP header is protected. This
4148 makes <A href="#traffic">traffic analysis</A> more difficult. The next
4149 header field would tell an eavesdropper whether your packet was UDP to
4150 the gateway, TCP to the gateway, or encapsulated IP. It is better not
4151 to give this information away. A clever attacker may deduce some of it
4152 from the pattern of packet sizes and timings, but we need not make it
4154 <P> IPSEC allows various combinations of these to match local policies,
4155 including combinations that use both AH and ESP headers or that nest
4156 multiple copies of these headers.</P>
4157 <P> For example, suppose my employer has an IPSEC VPN running between
4158 two offices so all packets travelling between the gateways for those
4159 offices are encrypted. If gateway policies allow it (The admins could
4160 block UDP 500 and protocols 50 and 51 to disallow it), I can build an
4161 IPSEC tunnel from my desktop to a machine in some remote office. Those
4162 packets will have one ESP header throughout their life, for my
4163 end-to-end tunnel. For part of the route, however, they will also have
4164 another ESP layer for the corporate VPN's encapsulation. The whole
4165 header scheme for a packet on the Internet might be:</P>
4167 <LI>IP header (with gateway address) says next header --> ESP</LI>
4168 <LI>ESP header <STRONG>[</STRONG> says next --> IP</LI>
4169 <LI>IP header (with receiving machine address) says next header --> ESP</LI>
4170 <LI>ESP header <STRONG>[</STRONG> says next --> TCP</LI>
4171 <LI>TCP header port number --> which process to send data to</LI>
4172 <LI>data <STRONG>]]</STRONG></LI>
4174 <P> The first ESP (outermost) header is for the corporate VPN. The
4175 inner ESP header is for the secure machine-to-machine link.</P>
4176 <H2><A name="filters">Filtering rules for IPSEC packets</A></H2>
4177 <P> As a consequence of the above, an IPSEC gateway should have packet
4178 filters that allow the following protocols when talking to other IPSEC
4181 <LI>UDP port 500</LI>
4182 <LI>protocol 50 if you use ESP encryption and/or authentication (the
4184 <LI>protocol 51 if you use AH packet-level authentication</LI>
4186 <P> Your gateway and the other IPSEC gateways it communicates with must
4187 be able to exchange these packets for IPSEC to work. Firewall rules
4188 must allow UDP 500 and at least one of AH or ESP on the interface that
4189 communicates with the other gateway. </P>
4190 <H3><A name="through">IPSEC <EM>through</EM></A> the gateway</H3>
4191 <P> The preceeding paragraph deals with packets <EM>addressed to or
4192 sent from your gateway</EM>. It is a separate policy decision whether
4193 to permit such packets to pass <EM>through</EM> the gateway so that
4194 client machines can build end-to-end IPSEC tunnels of their own. This
4195 may not be practical if you are using <A href="#NAT">NAT (IP
4196 masquerade)</A> on your gateway, and may conflict with some corporate
4197 security policies. Other than that, it is likely a good idea.</P>
4198 <H3><A name="ipsec_only">Preventing non-IPSEC traffic</A></H3>
4199 You can of course also filter <EM>everything but</EM> UDP port 500 and
4200 ESP or AH to restrict traffic to IPSEC only, either for anyone
4201 communicating with your host or just for specific partners.
4202 <H3><A name="unknowngate">Filtering packets from unknown gateways</A></H3>
4203 <P> It is possible to use firewall rules to restrict UDP 500, ESP and
4204 AH packets so that these packets are accepted only from known gateways.
4205 This is not strictly necessary since FreeS/WAN will discard packets
4206 from unknown gateways. You might, however, want to do it for any of a
4207 number of reasons. For example:</P>
4209 <LI>Arguably, "belt and suspenders" is the sensible approach to
4210 security. If you can block a potential attack in two ways, use both.
4211 The only question is whether to look for a third way after
4212 implementing the first two.</LI>
4213 <LI>Some admins may prefer to use the firewall code this way because
4214 they prefer firewall logging to FreeS/WAN's logging.</LI>
4215 <LI>You may need it to implement your security policy. Consider an
4216 employee working at home, and a policy that says traffic from the home
4217 system to the Internet at large must go first via IPSEC to the
4218 corporate LAN and then out to the Internet via the corporate firewall.
4219 One way to do that is to make <VAR>ipsec0</VAR> the default route on
4220 the home gateway and provide exceptions only for UDP 500 and ESP to
4221 the corporate gateway. Everything else is then routed via the tunnel
4222 to the corporate gateway.</LI>
4224 <P>It is not possible to use only static firewall rules for this
4225 filtering if you do not know the other gateways' IP addresses in
4226 advance, for example if you have "road warriors" who may connect from
4227 a different address each time or if want to do <A href="#carpediem">
4228 opportunistic encryption</A> to arbitrary gateways. In these cases,
4229 you can accept UDP 500 IKE packets from anywhere, then use the <A href="#updown">
4230 updown</A> script feature of <A href="manpage.d/ipsec_pluto.8.html">
4231 pluto(8)</A> to dynamically adjust firewalling for each negotiated
4233 <P>Firewall packet filtering does not much reduce the risk of a <A href="#DoS">
4234 denial of service attack</A> on FreeS/WAN. The firewall can drop
4235 packets from unknown gateways, but KLIPS does that quite efficiently
4236 anyway, so you gain little. The firewall cannot drop otherwise
4237 legitmate packets that fail KLIPS authentication, so it cannot protect
4238 against an attack designed to exhaust resources by making FreeS/WAN
4239 perform many expensive authentication operations.</P>
4240 <P>In summary, firewall filtering of IPSEC packets from unknown
4241 gateways is possible but not strictly necessary.</P>
4242 <H2><A name="otherfilter">Other packet filters</A></H2>
4243 <P>When the IPSEC gateway is also acting as your firewall, other packet
4244 filtering rules will be in play. In general, those are outside the
4245 scope of this document. See our <A href="#firewall">Linux firewall
4246 links</A> for information. There are a few types of packet, however,
4247 which can affect the operation of FreeS/WAN or of diagnostic tools
4248 commonly used with it. These are discussed below.</P>
4249 <H3><A name="ICMP">ICMP filtering</A></H3>
4250 <P><A href="#icmp">ICMP</A> is the <STRONG>I</STRONG>nternet <STRONG>C</STRONG>
4251 ontrol <STRONG>M</STRONG>essage <STRONG>P</STRONG>rotocol. It is used
4252 for messages between IP implementations themselves, whereas IP used is
4253 used between the clients of those implementations. ICMP is,
4254 unsurprisingly, used for control messages. For example, it is used to
4255 notify a sender that a desination is not reachable, or to tell a router
4256 to reroute certain packets elsewhere. </P>
4257 <P> ICMP handling is tricky for firewalls. </P>
4259 <LI>You definitely want some ICMP messages to get through; things won't
4260 work without them. For example, your clients need to know if some
4261 destination they ask for is unreachable. </LI>
4262 <LI>On the other hand, you do equally definitely do not want untrusted
4263 folk sending arbitrary control messages to your machines. Imagine what
4264 someone moderately clever and moderately malicious could do to you,
4265 given control of your network's routing. </LI>
4267 <P>ICMP does not use ports. Messages are distinguished by a "message
4268 type" field and, for some types, by an additional "code" field. The
4269 definitive list of types and codes is on the <A href="http://www.isi.edu/in-notes/iana/assignments/icmp-parameters">
4271 <P>One expert uses this definition for ICMP message types to be dropped
4272 at the firewall.</P>
4274 # ICMP types which lack socially redeeming value.
4276 # 9 Router Advertisement
4277 # 10 Router Selection
4278 # 15 Information Request
4279 # 16 Information Reply
4280 # 17 Address Mask Request
4281 # 18 Address Mask Reply
4283 badicmp='5 9 10 15 16 17 18'
4285 <P> A more conservative approach would be to make a list of allowed
4286 types and drop everything else.</P>
4287 <P>Whichever way you do it, your ICMP filtering rules on a FreeS/WAN
4288 gateway should allow at least the following ICMP packet types:</P>
4290 <DT>echo (type 8)</DT>
4292 <DT>echo reply (type 0)</DT>
4293 <DD>These are used by ping(1). We recommend allowing both types through
4294 the tunnel and to or from your gateway's external interface, since
4295 ping(1) is an essential testing tool. </DD>
4296 <P>It is fairly common for firewalls to drop ICMP echo packets
4297 addressed to machines behind the firewall. If that is your policy,
4298 please create an exception for such packets arriving via an IPSEC
4299 tunnel, at least during intial testing of those tunnels.</P>
4300 <DT>destination unreachable (type 3)</DT>
4301 <DD>This is used, with code 4 (Fragmentation Needed and Don't Fragment
4302 was Set) in the code field, to control <A href="#pathMTU">path MTU
4303 discovery</A>. Since IPSEC processing adds headers, enlarges packets
4304 and may cause fragmentation, an IPSEC gateway should be able to send
4305 and receive these ICMP messages <STRONG>on both inside and outside
4306 interfaces</STRONG>.</DD>
4308 <H3><A name="traceroute">UDP packets for traceroute</A></H3>
4309 <P> The traceroute(1) utility uses UDP port numbers from 33434 to
4310 approximately 33633. Generally, these should be allowed through for
4311 troubleshooting.</P>
4312 <P> Some firewalls drop these packets to prevent outsiders exploring
4313 the protected network with traceroute(1). If that is your policy,
4314 consider creating an exception for such packets arriving via an IPSEC
4315 tunnel, at least during intial testing of those tunnels.</P>
4316 <H3><A name="l2tp">UDP for L2TP</A></H3>
4317 Windows 2000 does, and products designed for compatibility with it
4318 may, build <A href="#l2tp">L2TP</A> tunnels over IPSEC connections.
4319 <P> For this to work, you must allow UDP protocol 1701 packets coming
4320 out of your tunnels to continue to their destination. You can, and
4321 probably should, block such packets to or from your external
4322 interfaces, but allow them from <VAR>ipsec0</VAR>. </P>
4323 <P> See also our Windows 2000 <A href="#win2k">interoperation discussion</A>
4325 <H2><A name="NAT">IPSEC and NAT</A></H2>
4326 <P><A href="#NAT"> Network Address Translation</A>, also known as IP
4327 masquerading, is a method of allocating IP addresses dynamically,
4328 typically in circumstances where the total number of machines which
4329 need to access the Internet exceeds the supply of IP addresses.</P>
4330 <P> Any attempt to perform NAT operations on IPSEC packets <EM>between
4331 the IPSEC gateways</EM> creates a basic conflict:</P>
4333 <LI>IPSEC wants to authenticate packets and ensure they are unaltered
4334 on a gateway-to-gateway basis</LI>
4335 <LI>NAT rewrites packet headers as they go by</LI>
4336 <LI>IPSEC authentication fails if packets are rewritten anywhere
4337 between the IPSEC gateways</LI>
4339 For <A href="#AH">AH</A>, which authenticates parts of the packet
4340 header including source and destination IP addresses, this is fatal. If
4341 NAT changes those fields, AH authentication fails.
4342 <P> For <A href="#IKE">IKE</A> and <A href="#ESP">ESP</A> it is not
4343 necessarily fatal, but is certainly an unwelcome complication. </P>
4344 <H3><A name="nat_ok">NAT on or behind the IPSEC gateway works</A></H3>
4345 <P> This problem can be avoided by having the masquerading take place <EM>
4346 on or behind</EM> the IPSEC gateway. </P>
4347 <P> This can be done physically with two machines, one physically
4348 behind the other. A picture, using SG to indicate IPSEC <STRONG>S</STRONG>
4349 ecurity <STRONG>G</STRONG>ateways, is: </P>
4351 clients --- NAT ----- SG ---------- SG
4354 <P> In this configuration, the actual client addresses need not be
4355 given in the <VAR>leftsubnet=</VAR> parameter of the FreeS/WAN
4356 connection description. The security gateway just delivers packets to
4357 the NAT box; it needs only that machine's address. What that machine
4358 does with them does not affect FreeS/WAN. </P>
4359 <P> A more common setup has one machine performing both functions:</P>
4361 clients ----- NAT/SG ---------------SG
4364 Here you have a choice of techniques depending on whether you want to
4365 make your client subnet visible to clients on the other end:
4367 <LI>If you want the single gateway to behave like the two shown above,
4368 with your clients hidden behind the NAT, then omit the <VAR>leftsubnet=</VAR>
4369 parameter. It then defaults to the gateway address. Clients on the
4370 other end then talk via the tunnel only to your gateway. The gateway
4371 takes packets emerging from the tunnel, applies normal masquerading,
4372 and forwards them to clients. </LI>
4373 <LI>If you want to make your client machines visible, then give the
4374 client subnet addresses as the <VAR>leftsubnet=</VAR> parameter in the
4375 connection description and
4378 <DD>set <VAR>leftfirewall=yes</VAR> to use the default <VAR>updown</VAR>
4381 <DD>use your own script by giving its name in a <VAR>leftupdown=</VAR>
4384 These scripts are described in their own <A href="#updown">section</A>
4386 <P> In this case, no masquerading is done. Packets to or from the
4387 client subnet are encrypted or decrypted without any change to their
4388 client subnet addresses, although of course the encapsulating packets
4389 use gateway addresses in their headers. Clients behind the right
4390 security gateway see a route via that gateway to the left subnet.</P>
4392 <H3><A name="nat_bad">NAT between gateways is problematic</A></H3>
4393 <P> We recommend not trying to build IPSEC connections which pass
4394 through a NAT machine. This setup poses problems:</P>
4396 clients --- SG --- NAT ---------- SG
4398 If you must try it, some references are:
4400 <LI>Jean_Francois Nadeau's document on doing <A href="http://jixen.tripod.com/#NATed gateways">
4401 IPSEC behind NAT</A></LI>
4402 <LI><A href="#VPN.masq">VPN masquerade patches</A> to make a Linux NAT
4403 box handle IPSEC packets correctly </LI>
4405 <H3><A name="">Other references on NAT and IPSEC</A></H3>
4406 Other documents which may be relevant include:
4408 <LI>an Internet Draft on <A href="http://search.ietf.org/internet-drafts/draft-aboba-nat-ipsec-04.txt">
4409 IPSEC and NAT</A> which may eventually evolve into a standard solution
4410 for this problem. </LI>
4411 <LI>an informational <A href="http://www.cis.ohio-state.edu/rfc/rfc2709.txt">
4412 RFC</A>, <CITE>Security Model with Tunnel-mode IPsec for NAT Domains</CITE>
4414 <LI>an <A href="http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html">
4415 article</A> in Cisco's <CITE>Internet Protocol Journal</CITE></LI>
4417 <H2><A name="updown">Calling firewall scripts, named in ipsec.conf(5)</A>
4419 <P> The <A href="manpage.d/ipsec.conf.5.html">ipsec.conf</A>
4420 configuration file has three pairs of parameters used to specify an
4421 interface between FreeS/WAN and firewalling code.</P>
4422 <P> Note that using these is not required if you have a static firewall
4423 setup. In that case, you just set your firewall up at boot time (in a
4424 way that permits the IPSEC connections you want) and do not change it
4425 thereafter. Omit all the FreeS/WAN firewall parameters and FreeS/WAN
4426 will not attempt to adjust firewall rules at all. See <A href="#examplefw">
4427 below</A> for some information on appropriate scripts. </P>
4428 <P> However, if you want your firewall rules to change when IPSEC
4429 connections change, then you need to use these parameters. </P>
4430 <H3><A name="pre_post">Scripts called at IPSEC start and stop</A></H3>
4431 <P> One pair of parmeters are set in the <VAR>config setup</VAR>
4432 section of the <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>
4433 file and affect all connections:</P>
4438 <DD>specify scripts to be called before our <A href="manpage.d/ipsec_pluto.8.html">
4439 pluto(8)</A> IKE daemon is started and after it is stopped.</DD>
4441 These parameters allow you to change firewall parameters whenever
4442 IPSEC is started or stopped.
4443 <P> They can also be used in other ways. For example, you might have <VAR>
4444 prepluto</VAR> add a module to your kernel for the secure network
4445 interface or make a dialup connection, and then have <VAR>postpluto</VAR>
4446 remove the module or take the connection down. </P>
4447 <H3><A name="up_down">Scripts called at connection up and down</A></H3>
4448 <P> The other parameters are set in connection descriptions. They can
4449 be set in individual connection descriptions, and could even call
4450 different scripts for each connection for maximum flexibility. In most
4451 applications, however, it makes sense to use only one script and to
4452 call it from <VAR>conn %default</VAR> section so that it applies to all
4454 <P> You can either set <VAR>[left|right]firewall=yes</VAR> to use our
4455 supplied default script or assign a name in a <VAR>[left|right]updown=</VAR>
4456 line to use your own script. </P>
4457 <P> For details of when Pluto calls these scripts, what arguments it
4458 passes to them, and what the default script does with those arguments,
4459 see the <A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A> man
4461 <P> Note that <STRONG>only one of these should be used</STRONG>. You
4462 cannot sensibly use both. </P>
4463 <H4><A name="">The default script</A></H4>
4464 We supply a default script named <VAR>_updown</VAR>.
4466 <DT>leftfirewall=</DT>
4468 <DT>rightfirewall=</DT>
4469 <DD>indicates that the gateway is doing firewalling and that <A href="manpage.d/ipsec_pluto.8.html">
4470 pluto(8)</A> should poke holes in the firewall as required. </DD>
4472 Set these to <VAR>yes</VAR> and Pluto will call our default script <VAR>
4473 _updown</VAR> with appropriate arguments whenever it:
4475 <LI>starts or stops IPSEC services</LI>
4476 <LI>brings a connection up or down</LI>
4478 The supplied default <VAR>_updown</VAR> script is appropriate for
4479 simple cases using the <VAR>ipfwadm(8)</VAR> firewalling package.
4480 <H4><A name="userscript">User-written scripts</A></H4>
4481 You can also write your own script and have Pluto call it. Just put
4482 the script's name in one of these <A href="manpage.d/ipsec.conf.5.html">
4483 ipsec.conf(5)</A> lines:
4485 <DT>leftupdown=</DT>
4487 <DT>rightupdown=</DT>
4488 <DD>specifies a script to call instead of our default script <VAR>
4491 Your script should take the same arguments and use the same
4492 environment variables as <VAR>_updown</VAR>. These are described in the <A
4493 href="manpage.d/ipsec_pluto.8.html">pluto(8)</A> man page.
4494 <P> In developing your own script, you can of course use our scripts
4495 (either the default _updown or the ipchains-based example given <A href="#exupdownchains">
4496 below</A>) as a starting point. Note, however, that <STRONG>you should
4497 not modify our _updown script in place</STRONG>. If you did that, then
4498 upgraded FreeS/WAN, the upgrade would install a new default script,
4499 overwriting your changes. </P>
4500 <H3><A name="ipchains.script">Scripts for ipchains</A></H3>
4501 <P> Our <VAR>_updown</VAR> is for firewalls using <VAR>ipfwadm(8)</VAR>
4502 . If you are using the more recent package <VAR>ipchains(8)</VAR>, you
4503 must do one of: </P>
4505 <LI>use static firewall rules which require no change for FreeS/WAN </LI>
4506 <LI>limit yourself to ipchains(8)'s ipfwadm(8) emulation mode in order
4507 to use our script </LI>
4508 <LI>write your own script and call it with <VAR>leftupdown</VAR> and <VAR>
4509 rightupdown</VAR>. </LI>
4511 <P> We provide an <A href="#exupdownchains">example script</A> for use
4512 with ipchains(8) below.</P>
4513 <H3><A name="dhr">DHR on the updown script</A></H3>
4514 <P> Here are some mailing list comments from <A href="manpage.d/ipsec_pluto.8.html">
4515 pluto(8)</A> developer Hugh Redelmeier on an earlier draft of this
4518 There are many important things left out
4520 - firewalling is important but must reflect (implement) policy. Since
4521 policy isn't the same for all our customers, and we're not experts,
4522 we should concentrate on FW and MASQ interactions with FreeS/WAN.
4524 - we need a diagram to show packet flow WITHIN ONE MACHINE, assuming
4525 IKE, IPsec, FW, and MASQ are all done on that machine. The flow is
4526 obvious if the components are run on different machines (trace the
4530 + packet appears on public IF, as UDP port 500
4531 + input firewalling rules are applied (may discard)
4532 + Pluto sees the packet.
4535 + Pluto generates the packet & writes to public IF, UDP port 500
4536 + output firewalling rules are applied (may discard)
4537 + packet sent out public IF
4539 IPsec input, with encapsulated packet, outer destination of this host:
4540 + packet appears on public IF, protocol 50 or 51. If this
4541 packet is the result of decapsulation, it will appear
4542 instead on the paired ipsec IF.
4543 + input firewalling rules are applied (but packet is opaque)
4544 + KLIPS decapsulates it, writes result to paired ipsec IF
4545 + input firewalling rules are applied to resulting packet
4546 as input on ipsec IF
4547 + if the destination of the packet is this machine, the
4548 packet is passed on to the appropriate protocol handler.
4549 If the original packet was encapsulated more than once
4550 and the new outer destination is this machine, that
4551 handler will be KLIPS.
4553 * routing is done for the resulting packet. This may well
4554 direct it into KLIPS for encoding or encrypting. What
4555 happens then is described elsewhere.
4556 * forwarding firewalling rules are applied
4557 * output firewalling rules are applied
4558 * the packet is sent where routing specified
4560 IPsec input, with encapsulated packet, outer destination of another host:
4561 + packet appears on some IF, protocol 50 or 51
4562 + input firewalling rules are applied (but packet is opaque)
4563 + routing selects where to send the packet
4564 + forwarding firewalling rules are applied (but packet is opaque)
4565 + packet forwarded, still encapsulated
4567 IPsec output, from this host or from a client:
4568 + if from a client, input firewalling rules are applied as the
4569 packet arrives on the private IF
4570 + routing directs the packet to an ipsec IF (this is how the
4571 system decides KLIPS processing is required)
4572 + if from a client, forwarding firewalling rules are applied
4573 + KLIPS eroute mechanism matches the source and destination
4574 to registered eroutes, yielding a SPI group. This dictates
4575 processing, and where the resulting packet is to be sent
4576 (the destinations SG and the nexthop).
4577 + output firewalling is not applied to the resulting
4580 - Until quite recently, KLIPS would double encapsulate packets that
4581 didn't strictly need to be. Firewalling should be prepared for
4582 those packets showing up as ESP and AH protocol input packets on
4585 - MASQ processing seems to be done as if it were part of the
4586 forwarding firewall processing (this should be verified).
4588 - If a firewall is being used, it is likely the case that it needs to
4589 be adjusted whenever IPsec SAs are added or removed. Pluto invokes
4590 a script to do this (and to adjust routing) at suitable times. The
4591 default script is only suitable for ipfwadm-managed firewalls. Under
4592 LINUX 2.2.x kernels, ipchains can be managed by ipfwadm (emulation),
4593 but ipchains more powerful if manipulated using the ipchains command.
4594 In this case, a custom updown script must be used.
4596 We think that the flexibility of ipchains precludes us supplying an
4597 updown script that would be widely appropriate.
4599 We do provide a sample script in the next section. It is essentially a
4600 transliteration of the version we supply for ipfwadm. Because it
4601 doesn't process the command line argument, it cannot be directly
4602 subsituted -- it won't support the semantics of *firewall=no. It can be
4603 used in <VAR>[left|right]updown=</VAR>.
4604 <H3><A name="exupdownchains">Example updown script for ipchains</A></H3>
4605 <P> Here is an example updown script for use with ipchains. It is
4606 intended to be called via an <VAR>updown=</VAR> statement in <A href="manpage.d/ipsec.conf.5.html">
4607 ipsec.conf</A>. </P>
4610 # sample updown script for ipchains
4611 # Copyright (C) 2000 D. Hugh Redelmeier, Henry Spencer
4613 # This program is free software; you can redistribute it and/or modify it
4614 # under the terms of the GNU General Public License as published by the
4615 # Free Software Foundation; either version 2 of the License, or (at your
4616 # option) any later version. See .
4618 # This program is distributed in the hope that it will be useful, but
4619 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
4620 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
4623 # RCSID $Id: firewall.html,v 1.20 2001/06/12 05:14:54 sandy Exp $
4625 # check interface version
4626 case "$PLUTO_VERSION" in
4628 *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >2 exit 2
4632 # check parameter(s)
4633 case "$*" in
4635 *) echo "$0: parameters unexpected" >2 exit 2
4639 # utility functions for route manipulation
4640 # Meddling with this stuff should never be necessary and is most unwise.
4642 route add -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
4643 dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
4646 route del -net $PLUTO_PEER_CLIENT_NET netmask $PLUTO_PEER_CLIENT_MASK \
4647 dev $PLUTO_INTERFACE gw $PLUTO_NEXT_HOP
4651 case "$PLUTO_VERB" in
4652 prepare-host|prepare-client)
4653 # delete possibly-existing route (preliminary to adding a route)
4654 oops="`route del -net $PLUTO_PEER_CLIENT_NET \
4655 netmask $PLUTO_PEER_CLIENT_MASK 2>1"
4656 status="$?"
4657 if test " $oops" = " " -a " $status" != " 0"
4659 oops="silent error in route command, exit status $status"
4661 case "$oops" in
4662 'SIOCDELRT: No such process')
4663 # This is what route (currently -- not documented!) gives
4664 # for "could not find such a route".
4670 route-host|route-client)
4671 # connection to this host or client being routed
4674 unroute-host|unroute-client)
4675 # connection to this host or client being unrouted
4679 # connection to this host coming up
4682 # connection to this host going down
4685 # connection to client subnet, through forwarding firewall, coming up
4686 ipchains -I forward -j ACCEPT -b \
4687 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
4688 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
4691 # connection to client subnet, through forwarding firewall, going down
4692 ipchains -D forward -j ACCEPT -b \
4693 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
4694 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
4696 *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >2 exit 1
4699 <H2><A name="examplefw">Ipchains firewall configuration at boot</A></H2>
4700 <P> It is also possible to set up both firewalling and IPSEC with
4701 appropriate scripts at boot and then not use <VAR>leftupdown=</VAR> and <VAR>
4702 rightupdown=</VAR>, or use them only for simple up and down operations.</P>
4703 <P> Basically, the technique is </P>
4705 <LI>allow IPSEC packets (typically, IKE on UDP port 500 plus ESP,
4708 <LI>incoming, if the destination address is your gateway (and
4709 optionally, only from known senders) </LI>
4710 <LI>outgoing, with the from address of your gateway (and optionally,
4711 only to known receivers) </LI>
4714 <LI>let <A href="#Pluto">Pluto</A> deal with IKE </LI>
4715 <LI>let <A href="#KLIPS">KLIPS</A> deal with ESP </LI>
4716 <LI>if necessary, filter incoming packets emerging from KLIPS. </LI>
4718 <P> Firewall rules can recognise packets emerging from IPSEC. They are
4719 marked as arriving on an interface such as <VAR>ipsec0</VAR>, rather
4720 than <VAR>eth0</VAR>, <VAR>ppp0</VAR> or whatever. </P>
4721 <P> While it is possible to create such rules yourself (please let us
4722 know via the <A href="mail.html">mailing list</A> if you do), it may be
4723 both easier and more secure to use a set which has already been
4724 published and tested. Those we know of are described below. </P>
4725 <H3><A name="Ranch.trinity">Scripts based on Ranch's work</A></H3>
4726 <P> One user, Rob Hutton, posted his boot time scripts to the mailing
4727 list, and we included them in previous versions of this documentation.
4728 They are still available from our <A href="http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/firewall.html#examplefw">
4729 web site</A>. However, they were for an earlier FreeS/WAN version so we
4730 no longer recommend them. Also, they had some bugs. See this <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/04/msg00316.html">
4732 <P> Those scripts were based on David Ranch's scripts for his "Trinity
4733 OS" for setting up a secure Linux. Check his <A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html">
4734 home page</A> for the latest version and for information on his <A href="#ranch">
4735 book</A> on securing Linux. If you are going to base your firewalling
4736 on Ranch's scripts, we recommend using his latest version, and sending
4737 him any IPSEC modifications you make for incorporation into later
4739 <H3><A name="seawall">The Seattle firewall</A></H3>
4740 We have had several mailing lists reports of good results using
4741 FreeS/WAN with Seawall (the Seattle Firewall). See that project's <A href="http://seawall.sourceforge.net/">
4742 home page</A> on Sourceforge.
4743 <H3><A name="rcf">The RCF scripts</A></H3>
4744 Another set of firewall scripts with IPSEC support are the RCF or
4745 rc.firewall scripts. See their <A href="http://jsmoriss.mvlan.net/linux/rcf.html">
4747 <H1><A name="debug">Linux FreeS/WAN Troubleshooting</A></H1>
4748 <P> This is a collection of notes on various aspects of debugging
4749 FreeS/WAN setup and connections. Other sources of information are: </P>
4751 <LI>the <A href="faq.html">FAQ</A> covers:
4753 <LI>common problems </LI>
4754 <LI>common questions </LI>
4755 <LI>interpreting FreeS/WAN error messages </LI>
4758 <LI>If the other end of your connection is not FreeS/WAN, see our <A href="#interop.problem">
4759 interoperation</A> document. </LI>
4761 <H2><A name="report">Problem Reporting</A></H2>
4762 <P> For how to report problems, see the file <A href="prob.report">
4763 doc/prob.report</A>.</P>
4764 <H2><A name="logusage">Logs used</A></H2>
4765 <P> Error messages generated by KLIPS during the boot sequence are
4766 accessible with the <VAR>dmesg</VAR> command.</P>
4767 <P>Pluto logs to:</P>
4769 <LI>/var/log/secure (or, on Debian, /var/log/auth.log)</LI>
4770 <LI>/var/log/messages</LI>
4772 <P>Check both places to get full information. If you find nothing,
4773 check your <VAR>syslogd.conf(5)</VAR> to see where your system is
4775 <H2><A name="info">Information available on your system</A></H2>
4776 <H3><A name="pages">man pages provided</A></H3>
4778 <DT><A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A></DT>
4779 <DD>Manual page for IPSEC configuration file.</DD>
4780 <DT><A href="manpage.d/ipsec.8.html">ipsec(8)</A></DT>
4781 <DD>Primary man page for ipsec utilities.</DD>
4783 <P>Other man pages are on</P>
4784 <P><A href="manpages.html">this list</A> and in</P>
4786 <LI>/usr/local/man/man3</LI>
4787 <LI>/usr/local/man/man5</LI>
4788 <LI>/usr/local/man/man8/ipsec_*</LI>
4790 <H3><A name="statusinfo">Status information</A></H3>
4792 <DT>/proc/net/ipsec*</DT>
4793 <DD>Various files reporting the status of IPSEC.</DD>
4794 <DT>ipsec auto --status</DT>
4795 <DD>Command to get status report from running system. Displays Pluto's
4796 state: the list of "added" conns and the list of state objects
4797 reflecting ISAKMP and IPsec SAs being negotiated or installed.</DD>
4799 <DD>Brief status info.</DD>
4801 <DD>Copious debugging info.</DD>
4803 <H2><A name="pluto.problems">Pluto problem hints</A></H2>
4804 <P> From a message posted to the mailing list Jan 14 2000 by Pluto
4805 developer Hugh Redelmeier:</P>
4807 Until ipsec auto and whack/pluto get fixed:
4809 When puzzled by Pluto behaviour, always look in
4810 /var/log/secure -- that's the unadulterated story.
4812 To get the whole whack output (almost a subset of
4813 the story from Pluto), give auto the --verbose flag
4814 on each invocation. Eg:
4815 ipsec auto --verbose --up sadaisy
4818 Bonus hint: problems snowball. So look for the first problem first,
4819 it is likely to be the cause of later problems.
4821 And a final hint: If one side keeps retrying to no avail, it may be
4822 because the other is unhappy about something and won't reply. Go look
4823 at the other side to figure out what it doesn't like.
4825 Various error messages from Pluto are discussed in the <A href="#error">
4826 FAQ</A> and the <A href="manpage.d/ipsec_pluto.8.html">ipsec_pluto(8)</A>
4828 <H3><A name="gdb.pluto">Using GDB on Pluto</A></H3>
4829 You may need to use the GNU degugger, gdb(1), on Pluto. This should be
4830 necessary only in unusal cases, for example if you encounter a problem
4831 which the Pluto developer cannot readily reproduce or if you are
4833 <P> Here are the Pluto developer's suggestions for doing this: </P>
4835 Can you get a core dump and use gdb to find out what Pluto was doing
4838 To get a core dump, you will have to set dumpdir to point to a
4839 suitable directory (see <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>).
4841 To get gdb to tell you interesting stuff:
4843 $ cd dump-directory-you-chose
4844 $ gdb /usr/local/lib/ipsec/pluto core
4849 The resulting output will have been captured by the script command in
4850 a file called "typescript". Send it to the list.
4852 Do not delete the core file. I may need to ask you to print out some
4853 more relevant stuff.
4855 Note that the <VAR>dumpdir</VAR> parameter takes effect only when the
4856 IPsec subsystem is restarted -- reboot or <VAR>ipsec setup restart</VAR>
4858 <H2><A name="ifconfig">ifconfig reports for KLIPS debugging</A></H2>
4859 <P>From a mail message from our KLIPS developer:</P>
4861 Here is a catalogue of the types of errors that can occur for which
4862 statistics are kept when transmitting and receiving packets via klips.
4863 I notice that they are not necessarily logged in the right counter.
4866 Sources of ifconfig statistics for ipsec devices
4869 - packet handed to ipsec_rcv that is not an ipsec packet.
4870 - ipsec packet with payload length not modulo 4.
4871 - ipsec packet with bad authenticator length.
4872 - incoming packet with no SA.
4874 - incoming authentication failed.
4875 - got esp packet with length not modulo 8.
4878 - cannot process ip_options.
4879 - packet ttl expired.
4880 - packet with no eroute.
4881 - eroute with no SA.
4882 - cannot allocate sk_buff.
4883 - cannot allocate kernel memory.
4884 - sk_buff internal error.
4887 The standard counters are:
4889 struct enet_statistics
4891 int rx_packets; /* total packets received */
4892 int tx_packets; /* total packets transmitted */
4893 int rx_errors; /* bad packets received */
4894 int tx_errors; /* packet transmit problems */
4895 int rx_dropped; /* no space in linux buffers */
4896 int tx_dropped; /* no space available in linux */
4897 int multicast; /* multicast packets received */
4900 /* detailed rx_errors: */
4901 int rx_length_errors;
4902 int rx_over_errors; /* receiver ring buff overflow */
4903 int rx_crc_errors; /* recved pkt with crc error */
4904 int rx_frame_errors; /* recv'd frame alignment error */
4905 int rx_fifo_errors; /* recv'r fifo overrun */
4906 int rx_missed_errors; /* receiver missed packet */
4908 /* detailed tx_errors */
4909 int tx_aborted_errors;
4910 int tx_carrier_errors;
4912 int tx_heartbeat_errors;
4913 int tx_window_errors;
4916 of which I think only the first 6 are useful.
4918 <H2><A name="testgates">Testing between security gateways</A></H2>
4919 <P>Sometimes you need to test the tunnel between two security gateways.
4920 This can be done by having a machine behind one gateway ping a machine
4921 behind the other gateway, but this is not always convenient or even
4923 <P>Simply pinging one gateway from the other is not useful. Such a ping
4924 does not normally go through the tunnel. <STRONG>The tunnel handles
4925 trafiic between the two protected subnets, not between the gateways</STRONG>
4926 . Depending on the routing in place, a ping might</P>
4928 <LI>either succeed by finding an unencrypted route</LI>
4929 <LI>or fail by finding no route. Packets without an IPSEC eroute are
4932 <P><STRONG>Neither event tells you anything about the tunnel</STRONG>.
4933 You can explicitly create an eroute to force such packets through the
4934 tunnel, or you can create additional tunnels as described in our <A href="#multitunnel">
4935 configuration document</A>, but those may be an unnecessary
4936 complications in your situation.</P>
4937 <P>The trick is to explicitly use an IP address for the subnet-side
4938 interface of one gateway machine, either as the target of a ping or as
4939 the origin of a traceroute. Since that interface is on the protected
4940 subnet, the resulting packets do go via the tunnel.</P>
4941 <P> From the mailing list:</P>
4943 >; > ;I have two gateways, SG1 and SG2, with I/Fs i and e (for internal and
4944 >; > ;external), and two hosts, H1 and H2 set up as:
4946 >; > ; H1-----(i)SG1(e)===========(e)SG2(i)------H2
4948 >; > ;And I want to test a tunnel set up between the H1 subnet and the H2
4949 >; > ;subnet, but the H2 host may not exist yet, or may not be responding.
4951 >; > ;If I ping SG2i from H1, all traffic in both directions is encrypted,
4952 >; > ;testing the tunnel.
4954 >; > ;If I understand correctly, this could be accomplished by the 'ping -I'
4955 >; > ;feature of which you spoke earlier or 'traceroute -i'?
4958 >; traceroute -i eth0 -f 20 otherSG
4959 >; appears to give me a solution using only N machines, the SGs themselves.
4960 >; This is very nice. Note that in this example, eth0 is the *private* (i)
4961 >; interface. If you try it with the (e) interface or the ipsec0 interface,
4962 >; you won't get the desired result. If you leave off the -f 20, the trace
4963 >; will hang in some totally bizarre way.
4965 <P> Some older Linux distributions did not support ping -I, according
4966 to mailing list comments. More recent comments indicate that this does
4967 now work. For example, you can do:</P>
4969 ping -I 192.168.10.250 192.168.0.11
4971 to test between the interfaces on the two protected subnets.
4972 <H2><A name="c.guide">Claudia's guide</A></H2>
4973 FreeS/WAN "listress" (mailing list tech support person) Claudia
4974 Schmeing posted this guide to trouble-shooting in early March 2000. It
4975 may be worth checking list <A href="#archive">archives</A> for a more
4978 Your mail has inspired me to write a little trouble shooting
4979 guide to supplement and connect the existing docs on the subject.
4980 Here's v. 1. Comments are welcome.
4983 Steps in Troubleshooting Linux FreeS/WAN:
4984 - -----------------------------------------
4989 First, try to find verbose text that describes how things are going wrong
4990 or creating unexpected results. Here's how:
4992 While the dialog from ipsec auto --up myconn (or whatever) will tell
4993 you where the process fails, it is often not very specific. And for
4994 errors that have to do with the use of a conn, you may not even have
4997 More information can be gleaned from the log files, usually
4998 /var/log/messages or /var/log/secure. On some systems, the logfiles
4999 are differently named. To find your error messages, check where your
5000 /etc/syslog.conf or equivalent is directing authpriv.
5002 The amount of your error's description in your logs depends on your debug
5003 settings, klipsdebug= and plutodebug=, in ipsec.conf. See man ipsec.conf for
5004 details. Note that usually, either 'none' or 'all' will be what you want;
5005 you don't need to worry about the nuances of the debug options.
5007 If you're having an negotiation problem (as you are, above) plutodebug
5008 is most relevant. If you have a connection established but the
5009 packets aren't doing what you think they should, play with klipsdebug.
5010 See also /doc/ipsec.html#parts for the division of duties within
5013 After raising your debug levels, restart Linux FreeS/WAN to ensure that
5014 the conf file is re-read, then re-create the error to generate
5015 verbose logs. Proceed to the failure point in the logs and find
5016 the handful of lines which succinctly describe how things are going
5017 wrong or contrary to your expectation.
5020 Interpreting the Error
5021 - ----------------------
5023 To interpret this text, use the following resources:
5025 * the FAQ, doc/faq.html. Since the FAQ is constantly being updated,
5026 the snapshot may have a new entry relevant to your problem. For example,
5027 the faq in today's snapshot, addresses several more questions than the
5028 version on the site.
5030 * doc/config.html. Instructions for some configurations you can
5031 make with Linux FreeS/WAN. See especially doc/config.html#multitunnel,
5032 which is useful in a large proportion of the questions we see on the list.
5034 * doc/trouble.html. Debugging instructions and notes. Note that
5035 most people now test automatic keying only if that's what they're using
5036 in the field, and only revert to manual testing to test unexpected
5037 behaviour that seems to be occurring at a very basic level.
5039 * the list archives. There are three: sandelman nexial, as listed
5040 at mail.html, and the archive for the filtered list at exim.org:
5042 http://www.exim.org/pipermail/linux-ipsec/
5043 (also listed in the upcoming docs).
5045 Each of them works differently, so it's worth checking each.
5047 Take a snippet of the text of your error which doesn't include anything
5048 site specific, ex. "No connection is known for", and search on this.
5049 It's likely you'll find the same answer to someone else's question
5050 this way, and it's faster than asking real-time humans ;-)
5052 * Sometimes a quick peek into the code where the error is being generated
5053 can be helpful. The pluto code is pretty well documented with comments
5054 and meaningful variable names.
5060 A combination of the freeswan.org pages mentioned above and an archive
5061 search will address nearly every problem. But for those times when
5062 you've found something unusual, or your forehead is sore from banging
5063 it on your monitor, there's always the mailing list ;-)
5065 When writing the list, remember that more is more -- While sometimes
5066 an initial query with a quick description of your intent and error
5067 will twig someone's memory of a similar problem, it's often necessary to
5068 send a second mail with a complete problem report. See doc/prob.report
5069 for details. Lastly, as a kindness to other list members, you might post
5070 a link to a website where you've published your barf file rather than
5071 the entire file, if that option's available to you.
5073 Happy trouble shooting,
5078 <H1><A name="kernelconfig">Kernel configuration for FreeS/WAN</A></H1>
5079 <P> This section lists many of the options available when configuring a
5080 Linux kernel, and explains how they should be set on a FreeS/WAN IPSEC
5082 <H2><A name="notall">Not everyone needs to worry about kernel
5083 configuration</A></H2>
5084 <P>Note that in many cases you do not need to mess with these.</P>
5085 <P> You may have a Linux distribution which comes with FreeS/WAN
5086 installed (see this <A href="#products">list</A>). In that case, you
5087 need not do a FreeS/WAN installation or a kernel configuration. Of
5088 course, you might still want to configure and rebuild your kernel to
5089 improve performance or security. This can be done with standard tools
5090 described in the <A href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">
5091 Kernel HowTo</A>.</P>
5092 <P>If you need to install FreeS/WAN, then you do need to configure a
5093 kernel. However, you may choose to do that using the simplest
5096 <LI>Configure, build and test a kernel for your system before adding
5097 FreeS/WAN. See the <A href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">
5098 Kernel HowTo</A> for details. <STRONG>This step cannot be skipped</STRONG>
5099 . FreeS/WAN needs the results of your configuration.</LI>
5100 <LI>Then use FreeS/WAN's <VAR>make oldgo</VAR> command. This sets
5101 everything FreeS/WAN needs and retains your values everywhere else.</LI>
5103 <P> This document is for those who choose to configure their FreeS/WAN
5104 kernel themselves.</P>
5105 <H2><A name="assume">Assumptions and notation</A></H2>
5106 <P> Help text for most kernel options is included with the kernel
5107 files, and is accessible from within the configuration utilities. We
5108 assume you will refer to that, and to the <A href="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html">
5109 Kernel HowTo</A>, as necessary. This document covers only the
5110 FreeS/WAN-specific aspects of the problem.</P>
5111 <P> To avoid duplication, this document section does not cover settings
5112 for the additional IPSEC-related kernel options which become available
5113 after you have patched your kernel with FreeS/WAN patches. There is
5114 help text for those available from within the configuration utility.</P>
5115 <P> We assume a common configuration in which the FreeS/WAN IPSEC
5116 gateway is also doing ipchains(8) firewalling for a local network, and
5117 possibly masquerading as well.</P>
5118 <P> Some suggestions below are labelled as appropriate for "a true
5119 paranoid". By this we mean they may cause inconvenience and it is not
5120 entirely clear they are necessary, but they appear to be the safest
5121 choice. Not using them might entail some risk. Of course one suggested
5122 mantra for security administrators is: "I know I'm paranoid. I wonder
5123 if I'm paranoid enough."</P>
5124 <H3><A name="labels">Labels used</A></H3>
5125 <P>Six labels are used to indicate how options should be set. We mark
5126 the labels with [square brackets]. For two of these labels, you have
5130 <DD>essential for FreeS/WAN operation.</DD>
5131 <DT>[incompatible]</DT>
5132 <DD>incompatible with FreeS/WAN.</DD>
5134 <P>those must be set correctly or FreeS/WAN will not work</P>
5135 <P>FreeS/WAN should work with any settings of the others, though of
5136 course not all combinations have been tested. We do label these in
5137 various ways, but <EM>these labels are only suggestions</EM>.</P>
5139 <DT>[recommended]</DT>
5140 <DD>useful on most FreeS/WAN gateways</DD>
5142 <DD>an unwelcome complication on a FreeS/WAN gateway.</DD>
5144 <DD>Your choice. We outline issues you might consider.</DD>
5146 <DD>This option has no direct effect on FreeS/WAN and related tools, so
5147 you should be able to set it as you please.</DD>
5149 <P> Of course complexity is an enemy in any effort to build secure
5150 systems. <STRONG>For maximum security, any feature that can reasonably
5151 be turned off should be</STRONG>. "If in doubt, leave it out."</P>
5152 <H2><A name="kernelopt">Kernel options for FreeS/WAN</A></H2>
5153 <P>Indentation is based on the nesting shown by 'make menuconfig' with
5154 a 2.2.16 kernel for the i386 architecture.</P>
5156 <DT><A name="maturity">Code maturity and level options</A></DT>
5159 <DT><A name="devel">Prompt for development ... code/drivers</A></DT>
5160 <DD>[optional] If this is <VAR>no</VAR>, experimental drivers are not
5161 shown in later menus. </DD>
5162 <P>For most FreeS/WAN work, <VAR>no</VAR> is the preferred setting.
5163 Using new or untested components is too risky for a security gateway.</P>
5164 <P>However, for some hardware (such as the author's network cards) the
5165 only drivers available are marked <VAR> new/experimental</VAR>. In such
5166 cases, you must enable this option or your cards will not appear under
5167 "network device support". A true paranoid would leave this option off
5168 and replace the cards.</P>
5172 <DT>Processor type and features</DT>
5174 <DT>Loadable module support</DT>
5177 <DT>Enable loadable module support</DT>
5178 <DD>[optional] A true paranoid would disable this. An attacker who has
5179 root access to your machine can fairly easily install a bogus module
5180 that does awful things, provided modules are enabled. A common tool
5181 for attackers is a "rootkit", a set of tools used once they have
5182 become root to introduce assorted additional compromises so that they
5183 "own" your system despite most recovery efforts. For Linux, there is a
5184 tool called <A href="http://www.sans.org/newlook/resources/IDFAQ/knark.htm">
5185 knark</A> which is basically a rootkit packaged as a kernel module. </DD>
5186 <P>With modules disabled, an attacker cannot install a bogus module.
5187 The only way he can achieve the same effects is to install a new
5188 kernel and reboot. This is considerably more likely to be noticed. </P>
5189 <P>Many FreeS/WAN gateways run with modules enabled. This simplifies
5190 some administrative tasks and some ipchains features are available
5191 only as modules. Once an enemy has root on your machine your security
5192 is nil, so arguably defenses which come into play only in that
5193 situation are pointless.</P>
5196 <DT>Set version information ....</DT>
5197 <DD>[optional] This provides a check to prevent loading modules
5198 compiled for a different kernel.</DD>
5199 <DT>Kernel module loader</DT>
5200 <DD>[disable] It gives little benefit on a typical FreeS/WAN gate and
5201 entails some risk.</DD>
5202 <DT>General setup</DT>
5203 <DD>We list here only the options that matter for FreeS/WAN.
5205 <DT>Networking support</DT>
5207 <DT>Sysctl interface</DT>
5208 <DD>[optional] If this option is turned on and the <VAR> /proc</VAR>
5209 filesystem installed, then you can control various system behaviours
5210 by writing to files under <VAR> /proc/sys</VAR>. For example: </DD>
5211 <PRE> echo 1 > /proc/sys/net/ipv4/ipforward</PRE>
5212 turns IP forwarding on.
5213 <P>Disabling this option breaks many firewall scripts. A true paranoid
5214 would disable it anyway since it might conceivably be of use to an
5218 <DT>Plug and Play support</DT>
5220 <DT>Block devices</DT>
5222 <DT>Networking options</DT>
5225 <DT>Packet socket</DT>
5226 <DD>[optional] This kernel feature supports tools such as tcpdump(8)
5227 which communicate directly with network hardware, bypassing kernel
5228 protocols. This is very much a two-edged sword:
5230 <LI>such tools can be very useful to the firewall admin, especially
5231 during initial testing</LI>
5232 <LI>should an evildoer breach your firewall, such tools could give him
5233 or her a great deal of information about the rest of your network</LI>
5235 We recommend disabling this option on production gateways.</DD>
5236 <DT><A name="netlink">Kernel/User netlink socket</A></DT>
5237 <DD>[optional] Required if you want to use <A href="#adv">advanced
5238 router</A> features.</DD>
5239 <DT>Routing messages</DT>
5241 <DT>Netlink device emulation</DT>
5243 <DT>Network firewalls</DT>
5244 <DD>[recommended] You need this if the IPSEC gateway also functions as
5246 <P>Even if the IPSEC gateway is not your primary firewall, we suggest
5247 setting this so that you can protect the gateway with at least basic
5248 local packet filters.</P>
5251 <DT>Socket filtering</DT>
5252 <DD>[disable] This enables an older filtering interface. We suggest
5253 using ipchains(8) instead. To do that, set the "Network firewalls"
5254 option just above, and not this one.</DD>
5255 <DT>Unix domain sockets</DT>
5256 <DD>[required] These sockets are used for communication between the <A href="manpage.d/ipsec.8.html">
5257 ipsec(8)</A> commands and the <A href="manpage.d/ipsec_pluto.8.html">
5258 ipsec_pluto(8)</A> daemon.</DD>
5259 <DT>TCP/IP networking</DT>
5262 <DT>IP: multicasting</DT>
5264 <DT><A name="adv">IP: advanced router</A></DT>
5265 <DD>[optional] This gives you policy routing, which some people have
5266 used to good advantage in their scripts for FreeS/WAN gateway
5267 management. It is not used in our distributed scripts, so not required
5268 unless you want it for custom scripts. It requires the <A href="#netlink">
5269 netlink</A> interface between kernel code and the iproute2(8) command.</DD>
5270 <DT>IP: kernel level autoconfiguration</DT>
5271 <DD>[disable] It gives little benefit on a typical FreeS/WAN gate and
5272 entails some risk.</DD>
5273 <DT>IP: firewall packet netlink device</DT>
5275 <DT>IP: transparent proxy support</DT>
5276 <DD>[optional] This is required in some firewall configurations, but
5277 should be disabled unless you have a definite need for it. </DD>
5278 <DT>IP: masquerading</DT>
5279 <DD>[optional] Required if you want to use <A href="#non-routable">
5280 non-routable</A> private IP addresses for your local network.</DD>
5281 <DT>IP: Optimize as router not host</DT>
5282 <DD>[recommended]</DD>
5283 <DT>IP: tunneling</DT>
5285 <DT>IP: GRE tunnels over IP</DT>
5287 <DT>IP: aliasing support</DT>
5289 <DT>IP: ARP daemon support (EXPERIMENTAL)</DT>
5290 <DD>Not required on most systems, but might prove useful on
5291 heavily-loaded gateways.</DD>
5292 <DT>IP: TCP syncookie support</DT>
5293 <DD>[recommended] It provides a defense against a <A href="#DoS">denial
5294 of service attack</A> which uses bogus TCP connection requests to
5295 waste resources on the victim machine.</DD>
5296 <DT>IP: Reverse ARP</DT>
5298 <DT>IP: large window support</DT>
5299 <DD>[recommended] unless you have less than 16 meg RAM</DD>
5303 <DD>[optional] FreeS/WAN does not currently support IPv6, though work
5304 on integrating FreeS/WAN with the Linux IPv6 stack has begun. <A href="#ipv6">
5306 <P> It should be possible to use IPv4 FreeS/WAN on a machine which also
5307 does IPv6. This combination is not yet well tested. We would be quite
5308 interested in hearing results from anyone expermenting with it, via
5309 the <A href="mail.html"> mailing list</A>. </P>
5310 <P> We do not recommend using IPv6 on production FreeS/WAN gateways
5311 until more testing has been done. </P>
5315 <DD>[disable] Quite a few Linux installations use IP but also have
5316 some other protocol, such as Appletalk or IPX, for communication with
5317 local desktop machines. In theory it should be possible to configure
5318 IPSEC for the IP side of things without interfering with the second
5320 <P>We do not recommend this. Keep the software on your gateway as
5321 simple as possible. If you need a Linux-based Appletalk or IPX server,
5322 use a separate machine.</P>
5323 <DT>Telephony support</DT>
5325 <DT>SCSI support</DT>
5327 <DT>I2O device support</DT>
5329 <DT>Network device support</DT>
5330 <DD>[anything] should work, but there are some points to note. </DD>
5331 <P>The development team test almost entirely on 10 or 100 megabit
5332 Ethernet and modems. In principle, any device that can do IP should be
5333 just fine for IPSEC, but in the real world any device that has not
5334 been well-tested is somewhat risky. By all means try it, but don't bet
5335 your project on it until you have solid test results.</P>
5336 <P>If you disabled experimental drivers in the <A href="#maturity">Code
5337 maturity</A> section above, then those drivers will not be shown here.
5338 Check that option before going off to hunt for missing drivers.</P>
5339 <P>If you want Linux to automatically find more than one ethernet
5340 interface at boot time, you need to:</P>
5342 <LI>compile the appropriate driver(s) into your kernel. Modules will
5343 not work for this</LI>
5344 <LI>add a line such as </LI>
5346 append="ether=0,0,eth0 ether=0,0,eth1"
5348 to your /etc/lilo.conf file. In some cases you may need to specify
5349 parameters such as IRQ or base address. The example uses "0,0" for
5350 these, which tells the system to search. If the search does not
5351 succeed on your hardware, then you should retry with explicit
5352 parameters. See the lilo.conf(5) man page or the <A href="http://www.linuxdocs.org/mini/LILO.html">
5353 LILO mini-HowTo</A> for details.
5354 <LI>run lilo(8)</LI>
5356 Having Linux find the cards this way is not necessary, but is usually
5357 more convenient than loading modules in your boot scripts.
5358 <DT>Amateur radio support</DT>
5360 <DT>IrDA (infrared) support</DT>
5362 <DT>ISDN subsystem</DT>
5364 <DT>Old CDROM drivers</DT>
5366 <DT>Character devices</DT>
5367 <DD>The only required character device is:
5370 <DD>[required] This is a source of <A href="#random">random</A> numbers
5371 which are required for many cryptographic protocols, including several
5372 used in IPSEC. </DD>
5373 <P>If you are comfortable with C source code, it is likely a good idea
5374 to go in and adjust the <VAR>#define</VAR> lines in <VAR>
5375 /usr/src/linux/drivers/char/random.c</VAR> to ensure that all sources
5376 of randomness are enabled. Relying solely on keyboard and mouse
5377 randomness is dubious procedure for a gateway machine. You could also
5378 increase the randomness pool size from the default 512 bytes (128
5382 <DT>Filesystems</DT>
5383 <DD>[anything] should work, but we suggest limiting a gateway machine
5384 to the standard Linux ext2 filesystem in most cases.</DD>
5385 <DT>Network filesystems</DT>
5386 <DD>[disable] These systems are an unnecessary risk on an IPSEC
5388 <DT>Console drivers</DT>
5391 <DD>[anything] should work, but we suggest enabling sound only if you
5392 plan to use audible alarms for firewall problems.</DD>
5393 <DT>Kernel hacking</DT>
5394 <DD>[disable] This might be enabled on test machines, but should not
5395 be on production gateways.</DD>
5397 <H1><A name="roadmap">Distribution Roadmap: What's Where in Linux
5399 <P> This file is a guide to the locations of files within the FreeS/WAN
5400 distribution. Everything described here should be on your system once
5401 you download, gunzip, and untar the distribution.</P>
5402 <P>This distribution contains two major subsystems </P>
5404 <DT><A href="#klips.roadmap">KLIPS</A></DT>
5405 <DD>the kernel code</DD>
5406 <DT><A href="#pluto.roadmap">Pluto</A></DT>
5407 <DD>the user-level key-management daemon</DD>
5409 <P>plus assorted odds and ends. </P>
5410 <H2><A name="top">Top directory</A></H2>
5411 <P>The top directory has essential information in text files:</P>
5414 <DD>introduction to the software</DD>
5416 <DD>short experts-only installation procedures. More detalied
5417 procedures are in <A href="install.html"> installation</A> and <A href="config.html">
5418 configuration</A> HTML documents.</DD>
5420 <DD>major known bugs in the current release.</DD>
5422 <DD>changes from previous releases</DD>
5424 <DD>acknowledgement of contributors</DD>
5426 <DD>licensing and distribution information</DD>
5428 <H2><A name="doc">Documentation</A></H2>
5429 <P> The doc directory contains the bulk of the documentation, most of
5430 it in HTML format. See the <A href="index.html">index file</A> for
5432 <H2><A name="klips.roadmap">KLIPS: kernel IP security</A></H2>
5433 <P><A href="#KLIPS"> KLIPS</A> is <STRONG>K</STRONG>erne<STRONG>L</STRONG><STRONG>
5434 IP</STRONG><STRONG> S</STRONG>ecurity. It lives in the klips
5435 directory, of course. </P>
5438 <DD>documentation</DD>
5439 <DT>klips/patches</DT>
5440 <DD>patches for existing kernel files</DD>
5443 <DT>klips/utils</DT>
5444 <DD>low-level user utilities</DD>
5445 <DT>klips/net/ipsec</DT>
5446 <DD>actual klips kernel files</DD>
5448 <DD>symbolic link to klips/net/ipsec </DD>
5449 <P>The "make insert" step of installation installs the patches and
5450 makes a symbolic link from the kernel tree to klips/net/ipsec. The odd
5451 name of klips/net/ipsec is dictated by some annoying limitations of
5452 the scripts which build the Linux kernel. The symbolic-link business
5453 is a bit messy, but all the alternatives are worse.</P>
5455 <DT>klips/utils</DT>
5456 <DD>Utility programs: </DD>
5460 <DD>manipulate IPSEC extended routing tables</DD>
5462 <DD>set Klips (kernel IPSEC support) debug features and level</DD>
5464 <DD>manage IPSEC Security Associations</DD>
5466 <DD>group/ungroup IPSEC Security Associations</DD>
5468 <DD>associate IPSEC virtual interface with real interface</DD>
5470 <P>These are all normally invoked by ipsec(8) with commands such as</P>
5471 <PRE> ipsec tncfg <VAR>arguments</VAR></PRE>
5472 There are section 8 man pages for all of these; the names have
5473 "ipsec_" as a prefix, so your man command should be something like:
5474 <PRE> man 8 ipsec_tncfg</PRE>
5476 <H2><A name="pluto.roadmap">Pluto key and connection management daemon</A>
5478 <P><A href="#Pluto"> Pluto</A> is our key management and negotiation
5479 daemon. It lives in the pluto directory, along with its low-level user
5480 utility, whack. </P>
5481 <P> There are no subdirectories. Documentation is a man page, <A href="manpage.d/ipsec_pluto.8.html">
5482 pluto.8</A>. This covers whack as well. </P>
5483 <H2><A name="utils">Utils</A></H2>
5484 <P> The utils directory contains a growing collection of higher-level
5485 user utilities, the commands that administer and control the software.
5486 Most of the things that you will actually have to run yourself are in
5490 <DD>invoke IPSEC utilities </DD>
5491 <P>ipsec(8) is normally the only program installed in a standard
5492 directory, /usr/local/sbin. It is used to invoke the others, both
5493 those listed below and the ones in klips/utils mentioned above.</P>
5496 <DD>control automatically-keyed IPSEC connections</DD>
5498 <DD>take manually-keyed IPSEC connections up and down</DD>
5500 <DD>generate copious debugging output</DD>
5502 <DD>generate moderate amounts of debugging output</DD>
5504 <P> There are .8 manual pages for these. look is covered in barf.8. The
5505 man pages have an "ipsec_" prefix so your man command should be
5506 something like: </P>
5510 <P> Examples are in various files with names utils/*.eg</P>
5511 <H2><A name="lib">Libraries</A></H2>
5512 <H3><A name="fswanlib">FreeS/WAN Library</A></H3>
5513 <P> The lib directory is the FreeS/WAN library, also steadily growing,
5514 used by both user-level and kernel code.
5515 <BR /> It includes section 3 <A href="manpages.html">man pages</A> for
5516 the library routines. </P>
5517 <H3><A name="otherlib">Imported Libraries</A></H3>
5519 The libdes library, originally from SSLeay, is used by both Klips and
5520 Pluto for <A href="#3DES">Triple DES</A> encryption. Single DES is not
5521 used because <A href="#desnotsecure">it is insecure</A>.
5522 <P> Note that this library has its own license, different from the <A href="#GPL">
5523 GPL</A> used for other code in FreeS/WAN. </P>
5524 <P> The library includes its own documentation. </P>
5526 The GMP (GNU multi-precision) library is used for multi-precision
5527 arithmetic in Pluto's key-exchange code and public key code.
5528 <P> Older versions (up to 1.7) of FreeS/WAN included a copy of this
5529 library in the FreeS/WAN distribution. </P>
5530 <P> Since 1.8, we have begun to rely on the system copy of GMP. </P>
5532 <H1><A name="compat">Linux FreeS/WAN Compatibility Guide</A></H1>
5533 <P> Most of this document is quoted directly from the Linux FreeS/WAN <A href="mail.html">
5534 mailing list</A>. Thanks very much to the community of testers,
5535 patchers and commenters there, especially the ones quoted below but
5536 also various contributors we haven't quoted.</P>
5537 <H2><A name="spec">Implemented parts of the IPSEC Specification</A></H2>
5538 <P> In general, do not expect Linux FreeS/WAN to do everything yet.
5539 This is a work-in-progress and some parts of the IPSEC specification
5540 are not yet implemented.</P>
5541 <H3><A name="in">In Linux FreeS/WAN</A></H3>
5542 <P> Things we do, as of version 1.9:</P>
5544 <LI>key management methods
5546 <DT>manually keyed</DT>
5547 <DD>using keys stored in /etc/ipsec.conf</DD>
5548 <DT>automatically keyed</DT>
5549 <DD>Automatically negotiating session keys as required. All
5550 connections are automatically re-keyed periodically. The <A href="#Pluto">
5551 Pluto</A> daemon implements this using the <A href="#IKE">IKE</A>
5555 <LI>Methods of authenticating gateways for IKE
5557 <DT>shared secrets</DT>
5558 <DD>stored in /etc/ipsec.secrets</DD>
5559 <DT>RSA signatures</DT>
5560 <DD>This was new code in 1.3. For details, see pluto(8).</DD>
5561 <DT>looking up RSA authentication keys from <A href="#DNS">DNS</A>.</DT>
5562 <DD>This was new code in 1.4, and is not yet heavily tested. Note that
5563 this technique cannot be fully secure until <A href="#SDNS">secure DNS</A>
5564 is widely deployed.</DD>
5567 <LI>groups for Diffie-Hellman key negotiation
5569 <DT>group 2, modp 1024-bit</DT>
5570 <DT>group 5, modp 1536-bit</DT>
5571 <DD>We implement these two groups. </DD>
5572 <P> In negotiating a keying connection (ISAKMP SA, Phase 1) we propose
5573 both groups when we are the initiator, and accept either when a peer
5574 proposes them. Once the keying connection is made, we propose only the
5575 alternative agreed there for data connections (IPSEC SA's, Phase 2)
5576 negotiated over that keying connection.</P>
5579 <LI>encryption transforms
5581 <DT><A href="#DES">DES</A></DT>
5582 <DD>DES is in the source code since it is needed to implement 3DES,
5583 but single DES is not made available to users because <A href="#desnotsecure">
5584 DES is insecure</A>.</DD>
5585 <DT><A href="#3DES">Triple DES</A></DT>
5586 <DD>implemented, and used as the default encryption in Linux FreeS/WAN.</DD>
5589 <LI>authentication transforms
5591 <DT>keyed <A href="#MD5">MD5</A></DT>
5592 <DD>implemented, may be used in IKE or by by AH or ESP transforms.</DD>
5593 <DT>keyed <A href="#SHA">SHA</A></DT>
5594 <DD>implemented, may be used in IKE or by AH or ESP transforms.</DD>
5597 <P> In negotiations, we propose both of these and accept either. </P>
5598 <LI>compression transforms
5601 <DD>IPComp as described in RFC 2393 has been added for FreeS/WAN 1.6.
5602 It is disabled in the default FreeS/WAN kernel configuration because
5603 it is new code, not yet fully trusted. Note that Pluto becomes
5604 confused if you ask it to do IPComp when the kernel cannot. </DD>
5605 <P> Some difficulties in interopreation are anticipated with this. The
5606 RFC says to leave out some things which many compression libraries put
5607 in. We do leave these out, but other implementations may not. </P>
5611 <P> All combinations of implemented transforms are supported. Note that
5612 some form of packet-level <STRONG>authentication is required whenever
5613 encryption is used</STRONG>. Without it, the encryption will not be
5615 <H3><A name="dropped">Deliberately ommitted</A></H3>
5616 We do not implement everything in the RFCs because some of those
5617 things are insecure. See our discussions of avoiding <A href="#weak">
5620 <P> Things we deliberately omit which are required in the RFCs are:</P>
5622 <LI>null encryption (to use ESP as an authentication-only service) </LI>
5623 <LI>single DES </LI>
5624 <LI>DH group 1, a 768-bit modp group </LI>
5626 <P> Since these are the only encryption algorithms and DH group the
5627 RFCs require, it is possible in theory to have a standards-conforming
5628 implementation which will not interpoperate with FreeS/WAN. Such an
5629 implementation would be inherently insecure, so we do not consider this
5630 a problem. Anyway, most implementations sensibly include more secure
5631 options as well, so dropping null encryption, single DES and Group 1
5632 does not greatly hinder interoperation in practice.</P>
5633 <P> We also do not implement some optional features allowed by the
5636 <LI>aggressive mode for negotiation of the keying channel or ISAKMP SA.
5637 This mode is a little faster than main mode, but exposes more
5638 information to an eavesdropper. </LI>
5640 <P> In theory, this should cause no interoperation problems since all
5641 implementations are required to support the more secure main mode,
5642 whether or not they also allow aggressive mode. </P>
5643 <P> In practice, it does sometimes produce problems with
5644 implementations such as Windows 2000 where aggressive mode is the
5645 default. Typically, these are easily solved with a configuration change
5646 that overrides that default.</P>
5647 <H3><A name="not">Not (yet) in Linux FreeS/WAN</A></H3>
5648 <P> Things we don't yet do, as of version 1.91:</P>
5650 <LI>key management methods
5652 <LI>authenticate key negotiations via local <A href="#PKI">PKI</A>
5653 server, but see links to user <A href="#patch">patches</A></LI>
5654 <LI>authenticate key negotiations via <A href="#SDNS">secure DNS</A></LI>
5655 <LI>unauthenticated key management, using <A href="#DH">Diffie-Hellman</A>
5656 key agreement protocol without authentication. Arguably, this would
5657 be worth doing since it is secure against all passive attacks. On the
5658 other hand, it is vulnerable to an active <A href="#middle">
5659 man-in-the-middle attack</A>.</LI>
5660 <LI>opportunistic IPSEC tunnel creation, in which any two IPSEC aware
5661 machines can automatically try to negotiate encryption for any
5662 communication, subject of course to their local policies. This is a
5663 long-term goal of the Linux FreeS/WAN project, but it requires at
5666 <LI>a nearly universal PKI</LI>
5667 <LI>widespread use of secure DNS</LI>
5668 <LI>a decision to take the risks of unauthenticated keying</LI>
5670 None of these are in place yet. </LI>
5671 <P>We expect eventually to do it using DNS. The newer versions of <A href="#BIND">
5672 BIND</A> provide much of what we need but they are not yet widespread
5673 and our code to communicate with them is not ready.</P>
5674 <P><STRONG> Update:</STRONG> As of 1.91, we have beta-testable code for
5675 opportunistic encryption. See our <A href="#oppex">configuration
5680 <LI>encryption transforms </LI>
5681 <P>Currently <A href="#3DES">Triple DES</A> is the only encryption
5682 method Pluto will negotiate.</P>
5683 <P>No additional encryption transforms are yet implemented, though the
5684 RFCs allow them and some other IPSEC implementations support various
5685 of them. We are not eager to add more, since they complicate both our
5686 work and that of the gateway administrator without any obvious
5687 security improvement. We would certainly not want to incorporate any
5688 cryptographic method that had inadequate key length or had not been
5689 sujected to intensive review over some time.</P>
5690 <P>Rjindael, which just won the <A href="#AES">AES</A> competition to
5691 choose a successor to the DES standard, is an excellent candidate for
5692 inclusion in FreeS/WAN. This might be a good project for a volunteer.</P>
5693 <LI>authentication transforms </LI>
5694 <P>No optional additional authentication transforms are currently
5695 implemented and we do not forsee a need to add any soon.</P>
5696 <LI>Policy checking on decrypted packets </LI>
5697 <P> To fully comply with the RFCs, it is not enough just to accept only
5698 packets which survive any firewall rules in place to limit what IPSEC
5699 packets get in, and then pass KLIPS authentication. That is what
5700 FreeS/WAN currently does. </P>
5701 <P> We should also apply additional tests, for example ensuring that
5702 all packets emerging from a particular tunnel have sourcen and
5703 destination addresses that fall within the subnets defined for that
5704 tunnel, and that packets with those addresses that did not emerge from
5705 the appropriate tunnel are disallowed. </P>
5706 <P> This will be done as part of the KLIPS rewrite currently in
5707 progress. See these <A href="#applied">links</A> and the <A href="mail.html">
5708 design mailing list</A> for discussion. </P>
5709 <H2><A name="pfkey">Our PF-Key implementation</A></H2>
5710 <P>We use PF-key Version Two for communication between the KLIPS kernel
5711 code and the Pluto Daemon. PF-Key v2 is defined by <A href="http://www.normos.org/ietf/rfc/rfc2367.txt">
5713 <P>The "PF" stands for Protocol Family. PF-Inet defines a
5714 kernel/userspace interface for the TCP/IP Internet protocols (TCP/IP),
5715 and other members of the PF series handle Netware, Appletalk, etc.
5716 PF-Key is just a PF for key-related matters.</P>
5717 <P>Our PF-Key implementation is not yet (mid-July 2000) complete. In
5718 particular, it is mostly one-way, used for Pluto to talk to KLIPS but
5719 not yet doing much upward communication from kernel to user space.
5720 This will change, but is not at the top of our priority list.</P>
5721 <H3><A name="pfk.port">PF-Key portability</A></H3>
5722 <P> PF-Key came out of Berkeley Unix work and is used in the various
5723 BSD IPSEC implementations, and in Solaris. This means there is some
5724 hope of porting our Pluto(8) to one of the BSD distributions, or of
5725 running their photurisd(8) on Linux if you prefer <A href="#photuris">
5726 Photuris</A> key management over IKE.</P>
5727 <P> It is, however, more complex than that. The PK-Key RFC deliberately
5728 deals only with keying, not policy management. The three PF-Key
5729 implementations we have looked at -- ours, OpenBSD and KAME -- all have
5730 extensions to deal with security policy, and the extensions are
5731 different. There have been discussions aimed at sorting out the
5732 differences, perhaps for a version three PF-Key spec. All players are
5733 in favour of this, but everyone involved is busy and it is not clear
5734 whether or when these discussions might bear fruit.</P>
5735 <H2><A name="otherk">Kernels other than 2.0.38 and 2.2.18</A></H2>
5736 <P> We develop and test on:</P>
5738 <LI>Redhat 6.1 with a 2.2.19 kernel.</LI>
5739 <LI>Redhat 7.1 with a 2.4.4 kernel.</LI>
5741 <P> This is what we recommend. </P>
5742 <H3><A name="kernel.2.0">Other 2.0.x Intel Kernels</A></H3>
5743 <P> Consider upgrading to the 2.2 kernel series. If you want to stay
5744 with the 2.0 series, then we strongly recommend 2.0.39. Some useful
5745 security patches were added in 2.0.38.</P>
5746 <P> Various versions of the code have run at various times on most
5747 2.0.xx kernels, but the current version is only lightly tested on
5748 2.0.39, and not at all on older kernels. </P>
5749 <P> Some of our patches for older kernels are shipped in 2.0.37 and
5750 later, so they are no longer provided in FreeS/WAN. This means recent
5751 versions of FreeS/WAN will probably not compile om anything earlier
5753 <H3><A name="kernel.production">2.2 and 2.4 Kernels</A></H3>
5755 <DT>FreeS/WAN 1.0</DT>
5756 <DD>ran only on 2.0 kernels</DD>
5757 <DT>FreeS/WAN 1.1 to 1.8</DT>
5758 <DD>ran on 2.0 or 2.2 kernels
5759 <BR> ran on some development kernels, 2.3 or 2.4-test</DD>
5760 <DT>FreeS/WAN 1.9</DT>
5761 <DD>runs on 2.0, 2.2 or 2.4 kernels</DD>
5763 <P> In general, <STRONG>we suggest the latest 2.2 kernel or 2.4 for
5764 production use</STRONG>. At time of writing (early June 2001, just
5765 before our 1.91 release) these are 2.2.19 and 2.4.5. </P>
5766 <P> Of course no release can be guaranteed to run on kernels more
5767 recent than it is, so quite often there will be no stable FreeS/WAN for
5768 the absolute latest kernel. See the <A href="#k.versions">FAQ</A> for
5770 <H2><A name="otherdist">Intel Linux distributions other than Redhat</A></H2>
5771 <P> We develop and test on Redhat 6.1 for 2.2 kernels, and on Redhat
5772 7.1 for 2.4, so minor changes may be required for other distributions.</P>
5773 <H3><A name="rh7">Redhat 7.0</A></H3>
5774 <P> There are some problems with FreeS/WAN on Redhat 7.0, but they are
5776 <P> Redhat 7 ships with two compilers. </P>
5778 <LI>Their <VAR>gcc</VAR> is version 2.96. Various people, including the
5779 GNU compiler developers and Linus, have said fairly emphatically that
5780 using this was a mistake. 2.96 is a development version, not intended
5781 for production use. In particular, it will not compile a Linux kernel. </LI>
5782 <LI> Redhat therefore also ship a separate compiler, which they call <VAR>
5783 kgcc</VAR>, for compiling kernels. </LI>
5785 <P> Kernel Makefiles have <VAR>gcc</VAR> as a default, and must be
5786 adjusted to use <VAR>kgcc</VAR> before a kernel will compile on 7.0.
5787 This mailing list message gives details: </P>
5789 Subject: Re: AW: Installing IPSEC on Redhat 7.0
5790 Date: Thu, 1 Feb 2001 14:32:52 -0200 (BRST)
5791 From: Mads Rasmussen <mads@cit.com.br>
5793 > From www.redhat.com/support/docs/gotchas/7.0/gotchas-7-6.html#ss6.1
5795 cd to /usr/src/linux and open the Makefile in your favorite editor. You
5796 will need to look for a line similar to this:
5798 CC = $(CROSS_COMPILE)gcc -D__KERNEL__ -I$(HPATH)
5801 This line specifies which C compiler to use to build the kernel. It should
5804 CC = $(CROSS_COMPILE)kgcc -D__KERNEL__ -I$(HPATH)
5806 for Red Hat Linux 7. The kgcc compiler is egcs 2.91.66. From here you can
5807 proceed with the typical compiling steps.
5809 Check the <A href="mail.html">mailing list</A> archive for more recent
5811 <H3><A name="suse">SuSE Linux</A></H3>
5812 <P> SuSE 6.3 and later versions, at least in Europe, ship with
5813 FreeS/WAN included.</P>
5814 <P>Here are some notes for an earlier SuSE version.</P>
5815 <H4>SuSE Linux 5.3</H4>
5816 <PRE>Date: Mon, 30 Nov 1998
5817 From: Peter Onion <ponion@srd.bt.co.uk>
5819 ... I got Saturdays snapshot working between my two SUSE5.3 machines at home.
5821 The mods to the install process are quite simple. From memory and looking at
5822 the files on the SUSE53 machine here at work....
5824 And extra link in each of the /etc/init.d/rc?.d directories called K35ipsec
5825 which SUSE use to shut a service down.
5827 A few mods in /etc/init.d/ipsec to cope with the different places that SUSE
5828 put config info, and remove the inculsion of /etc/rc.d/init.d/functions and .
5829 /etc/sysconfig/network as they don't exists and 1st one isn't needed anyway.
5831 insert ". /etc/rc.config" to pick up the SUSE config info and use
5833 if test -n "$NETCONFIG" -a "$NETCONFIG" != "YAST_ASK" ; then
5837 [ ${NETWORKING} = "no" ] amp; exit 0
5839 Create /etc/sysconfig as SUSE doesn't have one.
5841 I think that was all (but I prob forgot something)....</PRE>
5842 <P>You may also need to fiddle initialisation scripts to ensure that
5843 /var/run/pluto.pid is removed when rebooting. If this file is present,
5844 Pluto does not come up correctly.</P>
5845 <H3><A name="slack">Slackware</A></H3>
5847 Subject: Re: linux-ipsec: Slackware distribution
5848 Date: Thu, 15 Apr 1999 12:07:01 -0700
5849 From: Evan Brewer <dmessiah@silcon.com>
5851 > Very shortly, I will be needing to install ipsec on at least gateways that
5852 > are running Slackware. . . .
5854 The only trick to getting it up is that on the slackware dist there is no
5855 init.d directory in /etc/rc.d .. so create one. Then, what I do is take the
5856 ipsec startup script which normally gets put into the init.d directory, and
5857 put it in /etc/rc.d and name ir rc.ipsec .. then I symlink it to the file
5858 in init.d. The only file in the dist you need to really edit is the
5859 utils/Makefile, setup4:
5861 Everything else should be just fine.
5865 Subject: Re: HTML Docs- Need some cleanup?
5866 Date: Mon, 8 Jan 2001
5867 From: Jody McIntyre <jodym@oeone.com>
5869 I have successfully installed FreeS/WAN on several Slackware 7.1 machines.
5870 FreeS/WAN installed its rc.ipsec file in /etc/rc.d. I had to manually call
5871 this script from rc.inet2. This seems to be an easier method than Evan
5874 <H3><A name="deb">Debian</A></H3>
5875 <PRE>Subject: FreeS/WAN 1.0 on Debian 2.1
5876 Date: Tue, 20 Apr 1999
5877 From: Tim Miller <cerebus+counterpane@haybaler.sackheads.org>
5879 Compiled and installed without error on a Debian 2.1 system
5880 with kernel-source-2.0.36 after pointing RCDIR in utils/Makefile to
5883 /var/lock/subsys/ doesn't exist on Debian boxen, needs to be
5884 created; not a fatal error.
5886 Finally, ipsec scripts appear to be dependant on GNU awk
5887 (gawk); the default Debian awk (mawk-1.3.3-2) had fatal difficulties.
5888 With gawk installed and /etc/alternatives/awk linked to /usr/bin/gawk
5889 operation appears flawless.</PRE>
5890 <P> The scripts in question have been modified since this was posted.
5891 Awk versions should no longer be a problem.</P>
5892 <H3><A name="caldera">Caldera</A></H3>
5894 Subject: Re: HTML Docs- Need some cleanup?
5895 Date: Mon, 08 Jan 2001
5896 From: Andy Bradford <andyb@calderasystems.com>
5898 On Sun, 07 Jan 2001 22:59:05 EST, Sandy Harris wrote:
5900 > Intel Linux distributions other than Redhat 5.x and 6.x
5907 Can you please include Caldera in this list? I have tested it since
5908 FreeS/Wan 1.1 and it works great with our systems---provided one
5909 follows the FreeS/Wan documentation. :-)
5914 <H2><A name="CPUs">CPUs other than Intel</A></H2>
5915 <P> FreeS/WAN has been run sucessfully on a number of different CPU
5916 architectures. If you have tried it on one not listed here, please post
5917 to the <A href="mail.html">mailing list</A>.</P>
5918 <H3><A name=" strongarm">Corel Netwinder (StrongARM CPU)</A></H3>
5919 <PRE>Subject: linux-ipsec: Netwinder diffs
5920 Date: Wed, 06 Jan 1999
5921 From: rhatfield@plaintree.com
5923 I had a mistake in my ipsec-auto, so I got things working this morning.
5925 Following are the diffs for my changes. Probably not the best and cleanest way
5926 of doing it, but it works. . . . </PRE>
5927 <P>These diffs are in the 0.92 distribution and any snapshot after Feb
5928 20 1999, so these should work out-of-the-box on Netwinder.</P>
5929 <H3><A name="yellowdog">Yellow Dog Linux on Power PC</A></H3>
5930 <PRE>Subject: Compiling FreeS/WAN 1.1 on YellowDog Linux (PPC)
5932 From: Darron Froese <darron@fudgehead.com>
5934 I'm summarizing here for the record - because it's taken me many hours to do
5935 this (multiple times) and because I want to see IPSEC on more linuxes than
5938 Also, I can't remember if I actually did summarize it before... ;-) I'm
5939 working too many late hours.
5941 That said - here goes.
5943 1. Get your linux kernel and unpack into /usr/src/linux/ - I used 2.2.13.
5944 <http://www.kernel.org/pub/linux/kernel/v2.2/linux-2.2.13.tar.bz2>
5946 2. Get FreeS/WAN and unpack into /usr/src/freeswan-1.1
5947 <ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan-1.1.tar.gz>
5949 3. Get the gmp src rpm from here:
5950 <ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm>
5952 4. Su to root and do this: rpm --rebuild gmp-2.0.2-9a.src.rpm
5954 You will see a lot of text fly by and when you start to see the rpm
5955 recompiling like this:
5959 + cd /usr/src/redhat/BUILD
5961 + libtoolize --copy --force
5962 Remember to add `AM_PROG_LIBTOOL' to `configure.in'.
5963 You should add the contents of `/usr/share/aclocal/libtool.m4' to
5965 + CFLAGS=-O2 -fsigned-char
5966 + ./configure --prefix=/usr
5968 Hit Control-C to stop the rebuild. NOTE: We're doing this because for some
5969 reason the gmp source provided with FreeS/WAN 1.1 won't build properly on
5972 cd /usr/src/redhat/BUILD/
5973 cp -ar gmp-2.0.2 /usr/src/freeswan-1.1/
5974 cd /usr/src/freeswan-1.1/
5978 5. Open the freeswan Makefile and change the line that says:
5979 KERNEL=$(b)zimage (or something like that) to
5985 Select an option or two and then exit - saving your changes.
5987 8. cd ../freeswan-1.1/ ; make menugo
5989 That will start the whole process going - once that's finished compiling,
5990 you have to install your new kernel and reboot.
5992 That should build FreeS/WAN on ydl (I tried it on 1.1).</PRE>
5993 And a later message on the same topic:
5994 <PRE>Subject: Re: FreeS/WAN, PGPnet and E-mail
5995 Date: Sat, 22 Jan 2000
5996 From: Darron Froese <darron@fudgehead.com>
5998 on 1/22/00 6:47 PM, Philip Trauring at philip@trauring.com wrote:
6000 > I have a PowerMac G3 ...
6002 The PowerMac G3 can run YDL 1.1 just fine. It should also be able to run
6003 FreeS/WAN 1.2patch1 with a couple minor modifications:
6005 1. In the Makefile it specifies a bzimage for the kernel compile - you have
6006 to change that to vmlinux for the PPC.
6008 2. The gmp source that comes with FreeS/WAN (for whatever reason) fails to
6009 compile. I have gotten around this by getting the gmp src rpm from here:
6011 ftp://ftp.yellowdoglinux.com//pub/yellowdog/champion-1.1/SRPMS/SRPMS/gmp-2.0.2-9a.src.rpm
6013 If you rip the source out of there - and place it where the gmp source
6014 resides it will compile just fine.</PRE>
6015 <H3><A name="mklinux">Mklinux</A></H3>
6016 <P>One user reports success on the Mach-based <STRONG> m</STRONG>icro<STRONG>
6017 k</STRONG>ernel Linux.</P>
6018 <PRE>Subject: Smiles on sparc and ppc
6019 Date: Fri, 10 Mar 2000
6020 From: Jake Hill <jah@alien.bt.co.uk>
6022 You may or may not be interested to know that I have successfully built
6023 FreeS/WAN on a number of non intel alpha architectures; namely on ppc
6024 and sparc and also on osfmach3/ppc (MkLinux). I can report that it just
6025 works, mostly, with few changes.</PRE>
6026 <H3><A name="alpha">Alpha 64-bit processors</A></H3>
6027 <PRE>Subject: IT WORKS (again) between intel & alpha :-)))))
6028 Date: Fri, 29 Jan 1999
6029 From: Peter Onion <ponion@srd.bt.co.uk>
6031 Well I'm happy to report that I've got an IPSEC connection between by intel & alpha machines again :-))
6033 If you look back on this list to 7th of December I wrote...
6035 -On 07-Dec-98 Peter Onion wrote:
6037 -> I've about had enuf of wandering around inside the kernel trying to find out
6038 -> just what is corrupting outgoing packets...
6040 -Its 7:30 in the evening .....
6042 -I FIXED IT :-))))))))))))))))))))))))))))))))
6044 -It was my own fault :-((((((((((((((((((
6046 -If you ask me very nicly I'll tell you where I was a little too over keen to
6047 -change unsigned long int __u32 :-) OPSE ...
6049 -So tomorrow it will full steam ahead to produce a set of diffs/patches against
6054 <P>In general (there have been some glitches), FreeS/WAN has been
6055 running on Alphas since then.</P>
6056 <H3><A name="SPARC">Sun SPARC processors</A></H3>
6057 <P>Several users have reported success with FreeS/WAN on SPARC Linux.
6058 Here is one mailing list message:</P>
6060 Subject: Smiles on sparc and ppc
6061 Date: Fri, 10 Mar 2000
6062 From: Jake Hill <jah@alien.bt.co.uk>
6064 You may or may not be interested to know that I have successfully built
6065 FreeS/WAN on a number of non intel alpha architectures; namely on ppc
6066 and sparc and also on osfmach3/ppc (MkLinux). I can report that it just
6067 works, mostly, with few changes.
6069 I have a question, before I make up some patches. I need to hack
6070 gmp/mpn/powerpc32/*.s to build them. Is this ok? The changes are
6071 trivial, but could I also use a different version of gmp? Is it vanilla
6074 I guess my only real headache is from ipchains, which appears to stop
6075 running when IPSec has been started for a while. This is with 2.2.14 on
6077 <P> This message, from a different mailing list, may be relevant for
6078 anyone working with FreeS/WAN on Suns:</P>
6080 Subject: UltraSPARC DES assembler
6081 Date: Thu, 13 Apr 2000
6082 From: svolaf@inet.uni2.dk (Svend Olaf Mikkelsen)
6083 To: coderpunks@toad.com
6085 An UltraSPARC assembler version of the LibDES/SSLeay/OpenSSL des_enc.c
6086 file is available at http://inet.uni2.dk/~svolaf/des.htm.
6088 This brings DES on UltraSPARC from slower than Pentium at the same
6089 clock speed to significantly faster.
6091 <H3><A name="mips">MIPS processors</A></H3>
6092 <P>We know FreeS/WAN runs on at least some MIPS processors because <A href="http://www.lasat.com">
6093 Lasat</A> (who host our freeswan.org web site) manufacture an IPSEC
6094 box based on an embedded MIPS running Linux with FreeS/WAN. We have no
6096 <H3><A name="coldfire">Motorola Coldfire</A></H3>
6098 Subject: Re: Crypto hardware support
6099 Date: Mon, 03 Jul 2000
6100 From: Dan DeVault <devault@tampabay.rr.com>
6102 .... I have been running
6103 uClinux with FreeS/WAN 1.4 on a system built by Moreton Bay (
6104 http://www.moretonbay.com ) and it was using a Coldfire processor
6105 and was able to do the Triple DES encryption at just about
6106 1 mbit / sec rate....... they put a Hi/Fn 7901 hardware encryption
6107 chip on their board and now their system does over 25 mbit of 3DES
6108 encryption........ pretty significant increase if you ask me.
6110 <H2><A name="multiprocessor">Multiprocessor machines</A></H2>
6111 <P> FreeS/WAN is designed to work on SMP (symmetric multi-processing)
6112 Linux machines and is regularly tested on dual processor x86 machines. </P>
6113 <P> We do not know of any testing on multi-processor machines with
6114 other CPU architectures or with more than two CPUs. Anyone who does
6115 test this, please report results to the <A href="mail.html">mailing list</A>
6117 <P> The current design does not make particularly efficient use of
6118 multiprocessor machines; some of the kernel work is single-threaded.
6119 This issue is being addressed in the KLIPS II redesign. </P>
6120 <H2><A name="hardware">Support for crypto hardware</A></H2>
6121 <P> Supporting hardware cryptography accelerators has not been a high
6122 priority for the development team because it raises a number of fairly
6125 <LI>Can you trust the hardware? If it is not Open Source, how do you
6126 audit its security? Even if it is, how do you check that the design has
6127 no concealed traps?</LI>
6128 <LI>If an interface is added for such hardware, can that interface be
6129 subverted or misused?</LI>
6130 <LI>Is hardware acceleration actually a performance win? It clearly is
6131 in many cases, but on a fast machine it might be better to use the CPU
6132 for the encryption than to pay the overheads of moving data to and from
6133 a crypto board.</LI>
6134 <LI>the current KLIPS code does not provide a clean interface for
6135 hardware accelerators</LI>
6137 <P> That said, we have a <A href="#coldfire">report</A> of FreeS/WAN
6138 working with one crypto accelerator and some work is going on to modify
6139 KLIPS to create a clean generic interface to such products. See this <A href="http://www.jukie.net/~bart/linux-ipsec/">
6140 web page</A> for some of the design discussion. </P>
6141 <H2><A name="ipv6">IP version 6 (IPng)</A></H2>
6142 The Internet currently runs on version four of the IP protocols. IPv4
6143 is what is in the standard Linux IP stack, and what FreeS/WAN was built
6144 for. In IPv4, IPSEC is an optional feature.
6145 <P> The next version of the IP protocol suite is version six, usually
6146 abbreviated either as "IPv6" or as "IPng" for "IP: the next
6147 generation". For IPv6, IPSEC is a required feature. Any machine doing
6148 IPv6 is required to support IPSEC, much as any machine doing (any
6149 version of) IP is required to support ICMP.</P>
6150 <P> There is a Linux implementation of IPv6 in Linux kernels 2.2 and
6151 above. For details, see the <A href="http://www.cs-ipv6.lancs.ac.uk/ipv6/systems/linux/faq/">
6152 FAQ</A>. It does not yet support IPSEC. The <A href="http://www.linux-ipv6.org/">
6153 USAGI</A> project are also working on IPv6 for Linux.</P>
6154 <P> FreeS/WAN was originally built for the current standard, IPv4, but
6155 we are interested in seeing it work with IPv6. Some progress has been
6156 made, but at time of writing (February 2001), the job is not complete.
6157 For more recent information, check the <A href="mail.html">mailing list</A>
6159 <P> The first release of FreeS/WAN (1.8) patched for IPv6 support is
6160 now <A href="http://www.ipv6.iabg.de/downloadframe/index.html">
6162 <H3><A name="v6.back">IPv6 background</A></H3>
6163 <P> IPv6 has been specified by an IETF <A href="http://www.ietf.org/html.charters/ipngwg-charter.html">
6164 working group</A>. The group's page lists over 30 RFCs to date, and
6165 many Internet Drafts as well. The overview is <A href="http://www.ietf.org/rfc/rfc2460.txt">
6166 RFC 2460</A>. Major features include: </P>
6168 <LI>expansion of the address space from 32 to 128 bits, </LI>
6169 <LI>changes to improve support for
6172 <LI>automatic network configuration </LI>
6173 <LI>quality of service routing </LI>
6177 <LI>improved security via IPSEC </LI>
6179 <P> A number of projects are working on IPv6 implementation. A
6180 prominent Open Source effort is <A href="http://www.kame.net/">KAME</A>
6181 , a collaboration among several large Japanese companies to implement
6182 IPv6 for Berkeley Unix. Other major players are also working on IPv6.
6183 For example, see pages at <A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">
6184 Sun</A>, <A href="http://www.cisco.com/warp/public/732/ipv6/index.html">
6185 Cisco</A> and <A href="http://www.microsoft.com/WINDOWS2000/library/howitworks/communications/networkbasics/IPv6.asp">
6186 Microsoft</A>. The <A href="http://www.6bone.net/">6bone</A> (IPv6
6187 backbone) testbed network has been up for some time. There is an active <A
6188 href="http://www.ipv6.org/">IPv6 user group</A>. </P>
6189 <P> One of the design goals for IPv6 was that it must be possible to
6190 convert from v4 to v6 via a gradual transition process. Imagine the
6191 mess if there were a "flag day" after which the entire Internet used
6192 v6, and all software designed for v4 stopped working. Almost every
6193 computer on the planet would need major software changes! There would
6194 be huge costs to replace older equipment. Implementers would be worked
6195 to death before "the day", systems administrators and technical support
6196 would be completely swamped after it. The bugs in every implementation
6197 would all bite simultaneously. Large chunks of the net would almost
6198 certainly be down for substantial time periods. ... </P>
6199 <P> Fortunately, the design avoids any "flag day". It is therefore a
6200 little tricky to tell how quickly IPv6 will take over. The transition
6201 has certainly begun. For examples, see announcements from <A href="http://www.mailbase.ac.uk/lists/internet2/2000-03/0016.html">
6202 NTT</A> and <A href="http://www.vnunet.com/News/1102383">Nokia</A>.
6203 However, it is not yet clear how quickly the process will gain
6204 momentum, or when it will be completed. Likely large parts of the
6205 Internet will remain with IPv4 for years to come. </P>
6207 <H1 name="interop"><A NAME="10">Interoperation with other IPSEC
6208 implementations</A></H1>
6209 <P> The IPSEC protocols are designed to allow interoperation between
6210 different implementations. Other sections of this documentation have
6211 more detail on: </P>
6213 <LI>the IPSEC <A href="ipsec.html">protocol specifications</A></LI>
6214 <LI>parts of the protocols <A href="#spec">implemented or ommitted</A>
6216 <LI><A href="#implement">other implementations</A></LI>
6218 <P> FreeS/WAN does interoperate successfully with many other
6219 implementations. The ones we know about are listed <A href="#mail.interop">
6221 <P> Of course "the devil is in the details" and the IPSEC protocols
6222 have a lot of details. At least one <A href="http://www.counterpane.com/ipsec.pdf">
6223 critique</A> has argued that the protocols should be simplified.
6224 Various of those details can and do cause difficulties for
6225 interoperation. Should you encounter such problems, please let us know
6226 via the <A href="mail.html">mailing list</A>. We will likely be able to
6227 help you, and your report may be useful both to other users and to the
6228 implementation teams.</P>
6229 <P><STRONG> Note:</STRONG> This file is updated often, whenever I
6230 notice an interesting interop report on the mailing list. If you are
6231 reading the version that ships with a FreeS/WAN release or is posted on
6232 the web, and what you need isn't here, consider downloading the latest
6233 snapshot to get the latest version of the doc. Perhaps I've added what
6234 you need since the last release. </P>
6235 <P> There is additional information on interoperability testing in our <A
6236 href="#interop">web links</A> section. </P>
6237 <H2><A name="patch.interop">Patches to extend interoperability</A></H2>
6238 Sometimes interoperation requires user-contributed patches or add-ons
6239 on the FreeS/WAN end. In general, no patches to the actual IPSEC code
6240 are required. The problem is to make FreeS/WAN recognise RSA keys
6241 stored in formats other than ours. Each such format needs either a
6242 patch to make FreeS/WAN understand that format or a utility to
6243 translate it to the FreeS/WAN format.
6244 <P> For example, unmodified FreeS/WAN cannot use RSA keys generated by <A
6245 href="#PGP">PGP</A> or keys stored in <A href="glossary.html#X.509">
6246 X.509</A> certificates, but patches or utilities are available for both
6247 those formats. See this list of <A href="#patch"> patches and add-ons</A>
6249 <H2><A name="interop.problem">Interoperability problems</A></H2>
6250 <P> The IPSEC RFCs are complex and include a number of optional
6251 features. There is considerable opportunity for even two correct,
6252 standard-conforming, implementations to disagree on details in a way
6253 that blocks interoperation. Of course, misinterpretations of the
6254 standards and implementation or configuration errors on either end can
6255 also foul things up.</P>
6256 <P>That said, FreeS/WAN interoperates successfully with many other
6257 implementations. There is a <A href="#mail.interop">list</A> below.</P>
6258 <P> Known areas where problems may appear are:</P>
6260 <LI><STRONG>FreeS/WAN does not implement single DES</STRONG> because <A href="#desnotsecure">
6261 DES is insecure</A>. Suggestions on what to do if the device you want
6262 to talk to has only DES are <A href="#noDES">below</A>.</LI>
6263 <LI><STRONG>FreeS/WAN does not implement Diffie-Hellman group 1</STRONG>
6264 because it it is not entirely clear that this is secure.</LI>
6265 <LI>The RFCs define two modes for IKE negotiations -- main mode and
6266 aggressive mode. Aggressive mode is slightly faster, but reveals more
6267 information to an eavesdropper. Specifically, it lets an eavesdropper
6268 know what identities are in use. <STRONG>FreeS/WAN does not implement
6269 aggressive mode</STRONG>, so any negotiation another implementation
6270 tries that way will fail. </LI>
6271 <P> In principle this should not be a problem since main mode support
6272 is required in all implementations and aggressive mode is optional.
6273 In practice, it is sometimes a problem. Some implementations default
6274 to aggressive mode unless you configure them for main mode.</P>
6275 <LI> For automatic keying, <STRONG>the FreeS/WAN default is to provide <A
6276 href="#PFS"> perfect forward secrecy</A></STRONG>. We see no reason not
6277 to; this is more secure and costs little. Some other implementations,
6278 however, turn PFS off by default. </LI>
6279 <P> You can turn PFS off in FreeS/WAN with the <VAR>pfs=no</VAR>
6280 setting in <A href="manpage.d/ipsec.conf.5.html"> ipsec.conf(5)</A>,
6281 but if possible we suggest you enable it on the other end instead.
6282 That is more secure.</P>
6283 <LI> The IKE protocol allows several types of optional message. Two
6284 things happen which are allowed by the RFCs:
6286 <LI>Some implementations send various optional messages. </LI>
6287 <LI>FreeS/WAN ignores them. </LI>
6289 However, problems may arise if the other end relies on some expected
6290 effect of these messages. There are two FAQ questions dealing with
6291 this, one on the <A href="#ignore"> log message</A> FreeS/WAN gives
6292 when ignoring optional payloads and one on the <A href="#deadtunnel">
6293 delete SA</A> payload. </LI>
6295 <P> The general rule is that to interoperate with FreeS/WAN, the other
6296 implementation should be configured for:</P>
6299 <LI>triple DES encryption</LI>
6300 <LI>Diffie-Hellman Group 2 or 5 </LI>
6302 <P> This is possible for most implementations.</P>
6303 <H3><A name="noDES">Systems that want to use single DES</A></H3>
6304 <P> Linux FreeS/WAN does not support single DES transforms. Neither
6305 Pluto's IKE connections nor KLIPS' IPSEC connections can use DES. Since <A
6306 href="#desnotsecure">DES is insecure</A> we do not, and will not at any
6307 future time, provide it.</P>
6308 <P> DES is, unfortunately, a mandatory part of the <A href="#IPSEC">
6309 IPSEC</A> standard. Despite that, we will not implement DES. We believe
6310 it is more important to provide security than to comply with a standard
6311 which has been <A href="#weak">subverted</A> into allowing weak
6312 algorithms. See our <A href="politics.html">history and politics</A>
6313 section for discussion.</P>
6314 <P> Some implementations may offer DES as the default. In such cases we
6315 urge you to change them to <A href="#3DES">Triple DES</A>. If this is
6316 not possible, for example because <A href="#exlaw">export laws</A>
6317 prevent your vendor from offerring you adequate crytography, we urge
6318 you to complain vigorously to one or more of:</P>
6320 <LI>your government, especially any department concerned with
6321 protecting citizens' privacy or your nation's communication
6324 <LI>the embassy of the nation whose laws are problematic for you</LI>
6326 <P> Consider using FreeS/WAN instead. PCs are cheap and we deliver 3DES
6328 <P> FreeS/WAN does have <A href="#DES">DES</A> code in it as a sort of
6329 historical accident, since we need it to implement our default
6330 (currently, our only) block cipher, <A href="#3DES">Triple DES</A>.
6331 However, since <A href="#desnotsecure">DES is insecure</A>, we do not
6332 provide any interface to that code.</P>
6333 <P> As a matter of project policy, we will not help anyone subvert
6334 FreeS/WAN to provide <A href="#desnotsecure">insecure DES encryption</A>
6336 <H2><A name="otherpub">Interop HowTo documents</A></H2>
6337 <P> The FreeS/WAN team does not have the resources to test with
6338 anything like the full range of <A href="#implement">other IPSEC
6339 implementations</A> out there. Fortunately, some of our users are doing
6340 a fine job of filling the gap by providing HowTo information:</P>
6342 <LI>Hans-Jorg Hoxer's <A href="http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html">
6343 HowTo</A> covering interoperation between any two of:
6346 <LI>Open BSD IPSEC</LI>
6347 <LI>Windows 98 with PGPnet</LI>
6350 <LI>Jean-Francois Nadeau's <A href="http://jixen.tripod.com/">practical
6351 configurations</A> document covers FreeS/WAN interoperation with
6353 <LI>Windows 2000 IPSEC</LI>
6355 <LI>IRE Safenet SoftPK.</LI>
6358 <LI>Oscar Delgado's <A href="http://tirnanog.ls.fi.upm.es/CriptoLab/Biblioteca/InfTech/InfTech_CriptoLab.htm">
6359 page</A> has a PDF document covering interop using X.509 certificates
6360 between FreeS/WAN and:
6362 <LI>Windows 2000 </LI>
6366 <LI>Terrandon Communications provide a <A href="http://www.terradoncommunications.com/security/whitepapers/safe_net-to-free_swan.pdf">
6367 PDF HowTO</A> on using FreeS/WAN with IRE SafeNet </LI>
6368 <LI>Telenor provide a HowTo on <A href="http://security.nta.no/freeswan-w2k.html">
6369 FreeS/WAN and Windows 2000</A></LI>
6370 <LI>Carl's Guide for <A href="http://el06-24-29-255-187.ce.mediaone.net/carl/linux/ipsec/swan-w2k/swanw2k-b.html">
6371 FreeS/WAN and Windows 2000</A></LI>
6372 <LI>Ryan's <A href="http://www-ec.njit.edu/~rxt1077/Howto.txt">HowTo</A>
6373 for getting PGPnet to connect with FreeS/WAN using x509 certs through
6374 a Linksys router, with IPSec passthru enabled. </LI>
6376 <P> See also our list of available <A href="#patch">patches and add-ons</A>
6378 <H2><A name="mail.interop">Interoperation with specific products</A></H2>
6379 <P> Most of the information in this section is gleaned from the mailing
6380 list. For additional information, search one of the list <A href="#archives">
6382 <P> A large thank you is in order to all the list contributors. This
6383 document would not exist without you. </P>
6384 <P><STRONG> Anyone who has tested with an implementation not listed
6385 here, please report results</STRONG> to the <A href="mail.html">mailing
6386 list</A>. I generally include the sender's email address when I quote
6387 list messages here; "credit where credit is due". If you would prefer
6388 that I not do that with yours, please mention that.</P>
6389 <H3><A name="oldswan">Older versions of FreeS/WAN</A></H3>
6390 Any two versions of FreeS/WAN should interoperate, and many
6391 combinations have been tested doing so successfully. In particular,
6392 every release is tested against its predecessor before it goes out.
6393 <P> However, if you do encounter a problem involving an older version,
6394 we are likely to suggest you upgrade. We do not have the resources to
6395 support multiple versions. </P>
6396 <P> The <A href="#old_to_new">FAQ</A> also discusses this. </P>
6397 <H3><A name="OpenBSD">OpenBSD</A></H3>
6398 Two documents we know of cover interoperation between FreeS/WAN and
6401 <LI>Hans-Jorg Hoxer's <A href="http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html">
6403 <LI>Skyper's <A href="http://www.segfault.net/ipsec/">guide</A></LI>
6405 <P> This report is from one of the OpenBSD IPSEC developers, a regular
6406 participant on our mailing list:</P>
6409 Date: Tue, 23 Feb 1999
6410 From: Niklas Hallqvist <niklas@appli.se>
6412 PS. I don't know if you have an interop list anywhere, but you should
6413 know FreeS/WAN interops with OpenBSD both at the IPSec level and at
6416 <P> He has also talked of porting NetBSD's isakmpd(8) to Linux, but has
6417 (as of late April '99) made no announcement of availability. This would
6418 provide an alternative to our pluto(8) daemon with a somewhat different
6419 feature set. Our <A href="#KLIPS">KLIPS</A> kernel code would still be
6421 <P> The <A href="http://www.openbsd.org/faq/faq13.html">OpenBSD FAQ</A>
6422 includes information on their IPSEC implementation. </P>
6423 <H3><A name="FreeBSD">FreeBSD</A></H3>
6424 <P>The only <A href="http://www.r4k.net/ipsec/">reference</A> we have
6425 to IPSEC for FreeBSD says their code was ported from OpenBSD.</P>
6426 <P> Here is a mailing list message on FreeBSD interoperation: </P>
6428 Subject: Re: Interop with [Free|Open|Net]BSD
6429 Date: Fri, 29 Dec 2000
6430 From: Ghislaine Labouret <Ghislaine.Labouret@hsc.fr>
6432 On Thu, 28 Dec 2000 13:53:01 -0500, Sandy Harris wrote:
6436 > For FreeBSD, I find list discussion of 3DES key formats, presumably for manual
6437 > keying. We have 192-bit, 3 64-bit keys including parity bits, while FreeBSD 4.0
6438 > used 168-bit, 3 56-bit keys without the parity bits. Has FreeBSD changed this?
6440 I still don't understand what made Spike Gronim say that KAME wants a
6441 168 bits key; I have always been using 192 bits keys with KAME and had
6442 no interoperability problem between KAME and FreeS/WAN using manual
6445 > For auto keying, I find reports of sucessful use of pre-shared secrets, but
6446 > nothing on RSA authentication.
6448 I had KAME (20001023 snapshot) and FreeS/WAN 1.6 successfully
6449 interoperate using both PSK and RSA-sig authentication. The config
6450 files, certificates and test keys used are available online:
6451 http://www.hsc.fr/ipsec/ipsec2000/kame/
6452 http://www.hsc.fr/ipsec/ipsec2000/freeswan/
6453 Not much details though, as this is just a report and not a how-to. Will
6454 improve it if I can find spare time.
6456 > Does FreeBSD support that?
6458 KAME can use RSA-sig and can either exchange certificates online or get
6459 them from a file. I tested the latter. No test with the X.509 patch for
6460 FreeS/WAN yet, though that's in my short term plans too.
6462 > Are the key formats compatible, or has anyone written translation code?
6464 KAME wants the keys inside certificates, in PEM format. To extract the
6465 keys for FreeS/WAN I used the fswcert utility, but it can be done "by
6466 hand" using openssl.
6468 <H3><A name="NetBSD">NetBSD</A></H3>
6469 NetBSD has an IPSEC implementation, described in this <A href="http://www.netbsd.org/Documentation/network/ipsec/">
6471 <H3><A name="Cisco">Cisco Routers</A></H3>
6472 Useful pages on Cisco sites include:
6474 <LI><A href="http://www.cisco.com/warp/public/471/top_issues/vpn/vpn_index.shtml">
6475 VPN support</A></LI>
6476 <LI><A href="http://www.ieng.com/warp/public/700/tech_configs.html">
6477 sample configurations</A></LI>
6479 <P> Here is a mailing list <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00578.html">
6480 message</A> with subject "FreeS/WAN and Cisco 3030 VPN Concentrator"
6481 and an attached MS-Word document on the setup. </P>
6482 <P> A sample FreeS/WAN configuration, used in testing with Cisco at an
6483 interop conference, is in another list <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/01/msg00095.html">
6484 message</A>. Unfortunately, it does not give the matching Cisco
6486 <P> Here is our first interop success report: </P>
6488 Subject: cisco <-> pluto IKE interop is here........
6489 Date: Thu, 28 Jan 1999
6490 From: Ian Calderbank
6492 Ok, tried todays pluto (28 jan) snapshot against a (wait for it) 3des
6493 cisco box, one with some more serious grunt for benchmarking when the time
6496 And the good news is that pluto and cisco's IKE seem to interoperate. At
6497 the end of things both devices seem to be happy that they have IKE and
6498 IPSEC SA's. I can't send any traffic over it cos klips seems to be broken
6499 (peter seems to be on the case), but fundamentally, pluto seems to be
6500 interoperable with cisco for SA negotiation.
6502 I've attached some ipsec barf output - pluto still complains a few times,
6503 but it gets there :-)
6505 <P> A later message from Ian:</P>
6507 This configuration is provided as-is and with no assistance or guarantee
6508 that it works whatsover. In particular your attention is drawn to the versions
6509 of operating systems and IPSEC that were used in the test. Configurations
6510 for later versions of freeswan and cisco IOS may well be different.
6512 Cisco router: 3640 (R4700 processor), ios 12.0(2a)T1), 3DES IPSEC feature set
6513 ( you do need the 3des version).
6514 Linux box: P150, freeswan 29/jan/99 snapshot, Redhat 5.2, kernel 2.0.36.
6515 Interconnect: 10 Base T.
6516 Algorithm: ESP 3des/md5
6520 Freeswan P150 : load average: 0.08, 0.06, 0.01
6522 Throughput: 1.1 Mbit/sec at the application layer, approx 1.2Mbit/sec, 100 packet/sec on
6523 the external network. There were no chokes present, so the limit would
6524 appear to be the 3640, given it was running near flat out.
6526 --------------------------
6531 auto ipsec-router-test
6534 # x.x.x.x = linux box public ip address
6536 # y.y.y.y = router public ip address
6537 rightsubnet=192.168.2.0/24
6538 # private network behind the router - host to which throughput testing was done is here.
6545 ----------------------------
6547 Cisco Router config:
6549 crypto isakmp policy 1
6552 authentication pre-share
6553 crypto isakmp key SECRET-VALUE address x.x.x.x
6554 crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
6555 crypto map TEST 1 ipsec-isakmp
6557 set transform-set 3DES-MD5
6559 access-list 101 permit ip 192.168.2.0 0.0.0.255 host x.x.x.x
6563 <P> A <A href="http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t2/3desips.htm">
6564 page</A> on Cisco's site gave this list (early Jan 2000, before new US
6565 export regulations went into effect):</P>
6567 | Triple DES Encryption for IPSec
6571 | This feature is supported only on the following platforms:
6582 A message from another user about using RSA keys with Cisco:
6584 From: jrussi@uol.com.br
6585 Subject: Re:Re: Re:Re: [Users] RSA public key and Cisco (3640)
6586 Date: Sat, 2 Jun 2001
6588 We use Cisco IOS 12.1.5(T) and freeswan 1.8
6590 Here an example on how I copied the key from cisco:
6593 117C311E 16192D86 8886C71D 11111115 11138B11 31881241 11C7E23B D6DB22
6598 0x117C311E16192D868886C71D1111111511138B113188124111C7E23BD6DB2218DEC1BD...
6600 We used at least 1024 bits long keys.
6602 But it doesn´t matter. The problem is that cisco doesn´t agree with the RSA schema from freeswan, I think. In Cisco, rsasig is to use with a CA, and rsaencript did not work as well.
6604 My case is worse than it. My first intention was to use freeswan in a road warrior config. I really need to use CA, as Cisco needs a fix address to use rsa public key. The public key to cisco is always associated to an IP address ou FQDN. I quit. Will try the X509 patch and the Open CA software.
6609 >Yes, I was just going to mention that the Cisco's key should be in
6610 >ipsec.conf (just received your correction).
6612 >I think that I have the Cisco side configured correctly ( I can't be sure
6613 >because I can't test against the Freeswan).
6615 >Starting from having the IPsec tunnel working with pre-share, I did the
6616 >following on the Cisco side:
6619 >(config)# crypto key pubkey-chain rsa
6620 >(config-pubkey-chain)# addressed-key
6621 <!--ipaddress of freeswan-->
6623 >(config-pubkey-key)# key-string
6624 >(config-pubkey-key)#
6625 <!--paste freeswan key here-->
6627 >(config-pubkey-key)#quit
6628 >(config-pubkey-chain)#exit
6631 >(config)# crypto isakmp policy 1
6632 >(config-isakmp)# no authentication pre-share
6633 >(config-isakmp)# authentication rsa-sig
6634 >(config-isakmp)# exit
6636 >How long is your RSA key that was generated on the Cisco? I tried copying
6637 >the key out of the 3640 and pasting it into ipsec.conf, removing the spaces
6638 >and adding a '0x' in the front. I get the 'key too small' error still. What
6639 >version of freeswan are you using?
6641 >I'm using Freeswan 1.9 w/ IOS 12.1(6).
6644 >----- Original Message -----
6646 <!--jrussi@uol.com.br-->
6648 >To: "James Rowe"
6649 <!--jrowe@cisco.com-->
6651 <!--jrussi@uol.com.br-->
6654 <!--users@lists.freeswan.org-->
6656 >Sent: Thursday, May 31, 2001 5:15 PM
6657 >Subject: Re:Re: [Users] RSA public key and Cisco (3640)
6660 >> We had no problems with the key. Just be sure to remove the blank spaces
6661 >from the key (general key) that cisco generates.
6663 >> Just remove the blank, put all together as a long line (all the lines to a
6664 >single line) and add a "0x" at the key that Cisco give to you, and paste to
6667 >> The public key from FreeSwan, you just remove the "0x" and paste to the
6668 >command line at cisco. They will not complain about the keys.
6670 >> But my problem is with the proposal configured at Cisco. What to you think
6671 >to use? I tried "authentication rsasig" and "rsaencrip" with no results.
6672 >Cisco always sends me an "No proposal choosen" error message.
6674 >> I road an old message from someone called Brian here at this list, where
6675 >he says that FreeSwan will not accept authentication rsaencript from Cisco.
6676 >But rsasig is to use with a CA certification. So my question is: is it
6677 >possible to use Cisco with public RSA keying, without a CA? The thread ended
6678 >without an answer to it.
6681 >> >>Hello,
6683 >> >I am working on the same issue. I have pre-shared working, but would like
6685 >> >use RSA public keys. It seems that the Cisco key is too short. When
6687 >> >IPsec in init.d, it says that the Cisco key is not secure because it is
6689 >> >than 512 bits, even tough the key is really over 768 bits. Claudia thinks
6690 >> >this is a parsing problem and suggested to take a look at the source
6693 >> >Some pointers that I have found while working on this:
6695 >> >You must add a '0x' to the front of the Cisco key when entering it into
6696 >> >Freeswan, and remove the '0x' when entering the freeswan key into the
6700 >> >The case of the hexadecimal letters in the key does not matter. Thinking
6701 >> >that freeswan stopped reading the key when it encountered the first
6702 >> >uppercase letter in the Cisco key (freeswan keys are lowercase, Cisco's
6704 >> >uppercase), I changed everything to lowercase. Didn't help.
6706 >> >I'll let you know if I make any progess on this. I'd appreciate if you
6708 >> >let me know if you get this working. Thanks.
6710 >> >-- Jim Rowe
6712 >> >----- Original Message -----
6714 <!--jrussi@uol.com.br-->
6717 <!--users@lists.freeswan.org-->
6719 >> >Sent: Thursday, May 31, 2001 2:52 PM
6720 >> >Subject: [Users] RSA public key and Cisco (3640)
6723 >> >> Does anyone have a sucessful Cisco config file to use in a
6725 >> >conection using RSA public key?
6727 >> >> We were able to setup a pre-shared conection, but would like to try
6729 >> >keying.
6731 <H3><A name="bay">Nortel (Bay Networks) Contivity switch</A></H3>
6732 There is one known issue in FreeS/WAN-to-Contivity interoperation.
6733 Recent versions of FreeS/WAN no longer support DH group 1 for key
6734 exchange. Older versions of Contivity software support nothing else.
6735 Group 2 was added in more recent releases. So:
6737 <LI>older FreeS/WANs, such as 1.5, will work with any Contivity
6738 software. Key exchange will be done using DH Group 1. This may not be
6740 <LI>current FreeS/WANs will work only with recent Contivity releases
6741 supporting DH Group 2. Contivity 3.5 is one such release. </LI>
6743 We recommend using the latest Contivity release.
6744 <P> Some messages from the mailing list: </P>
6746 Subject: Contivity Extranet Switch
6747 Date: Fri, 11 Jun 1999
6748 From: Matthias David Siebler <msiebler@nortelnetworks.com>
6749 Reply-To: msiebler@alum.mit.edu
6750 Organization: Nortel Networks
6752 More interoperability results:
6754 I successfully established a tunnel with a Nortel (formerly Bay (formerly New Oak)) Contivity
6755 Extranet Switch running the latest release versions.
6757 The CES is running V2.50 of the software and the Linux server is running V1.0.0 of the Free/SWAN
6758 code on a RedHat 5.2 unit with the kernel upgraded to 2.0.36-3
6760 I am using IKE with 3DES-HMAC-MD5
6762 Note however, that tunnels cannot yet be configured as client tunnels since Free/SWAN does not yet
6763 support aggressive mode. Hopefully, that will arrive soon, which would allow remote users to
6764 connect to a CES using the Free/SWAN code as clients.
6766 <P> and apparently Nortel want their product to work with FreeS/WAN:</P>
6767 <PRE>Subject: Is FreeSwan 3.1 a legitamate ipsec implementation when compared to its commercial competitors?
6768 Date: Tue, 02 May 2000
6769 From: Bill Stewart <bill.stewart@pobox.com>
6771 Nortel's Contivity IPSEC server has a formal policy of interoperability
6772 with FreeS/WAN. I was quite pleased to hear it when they last talked to us,
6773 and it makes sense in their business environment, since they let you use
6774 their WinXX client software free, so this gives them support for Linux
6777 <P> A more recent mailing list report is: </P>
6779 Subject: Nortel Contivity and Free-S/WAN
6780 Date: Wed, 7 Mar 2001
6781 From: "JJ Streicher-Bremer" <jj@digisle.net>
6783 OK, here is a very brief nuts and bolts breakdown on how to get this
6784 combo working. I want to thank everyone at Free-S/WAN and everyone on
6785 the list for your help in getting this to work.
6787 Connecting FreeS/WAN to the Nortel Networks Contivity Extranet Switch:
6790 FreeS/WAN v1.5 and Contivity ver 2.5 - 3.5 (might work with earlier
6791 versions, but I have not tested it with this config)
6793 FreeS/WAN v1.8 and COntivity ver 3.5 (the 3.5 version supports Diffe
6794 Hilman group 2 key exchange)
6797 1 - Configure the Contivity:
6798 Set up a branch office tunnel group with the following settings:
6802 Access Hours: Anytime
6803 Call Admission Priority: Highest Priority
6804 Forwarding Priority: Low Priority
6805 Idle Timeout: 00:00:00
6806 Forced Logoff: 00:00:00
6808 RSVP: Token Bucket Depth: 3000 Bytes
6809 RSVP: Token Bucket Rate: 28 Kbps
6810 Branch Office Bandwidth Policy:
6811 - Committed Rate: 56 Kbps
6812 - Excess Rate: 128 Kbps
6813 - Excess Action: Mark
6816 - ESP - Triple DES with SHA1 Integrity: Enabled
6817 - ESP - Triple DES with MD5 Integrity: Enabled
6818 - ESP - 56-bit DES with SHA1 Integrity: Disabled
6819 - ESP - 56-bit DES with MD5 Integrity: Disabled
6820 *IKE Encryption and Diffie-Hellman Group: Triple DES with Group
6823 Perfect Forward Secrecy: Enabled
6824 Compression: Disabled
6825 Rekey Timeout: 08:00:00
6826 Rekey Data Count: (None)
6827 *ISAKMP Retransmission Interval: 16
6828 *ISAKMP Retransmission Max Attempts: 4
6830 Set up a branch office tunnel inside this new group with the
6834 Local - Public address of your COntivity
6835 Remote - Your Free-S/WAN interface Address
6837 IPSEC Authentication - Text Pre-Shared Key
6838 One note here, I have had some trouble trying to use HEX
6839 or Non alphanumeric chars in this key.
6843 Local - networks you want to be able to access through the
6845 Remote - networks that will be allowed through the tunnel
6848 Get routing setup on your office network:
6849 You will need to get a routing entry that will point all traffic
6850 bound for your home network (the one that will be acciessible through
6851 the tunnel) to the internal interface of the contivity system.
6853 Configure Free-S/WAN:
6854 Install, compile, and test Free-S/WAN
6855 Edit ipsec.conf for your new tunnel:
6856 --------------------------------------------------------
6859 interfaces="ipsec0=eth1"
6877 leftnexthop=10.0.0.1
6878 leftsubnet=10.0.1.0/24
6880 rightsubnet=172.16.1.0/24
6891 leftnexthop=10.0.0.1
6892 leftsubnet=10.0.1.0/24
6894 rightsubnet=172.16.2.0/24
6897 10.0.0.2 172.16.0.2 "Your big secret"
6898 ---------------------------------------------
6900 The above config is for this imaginary network:
6903 10.0.1.1 | |10.0.0.2 10.0.0.1++ Internet
6904 ---------| |-------------------++===========
6905 +------+ Home Router
6909 Internet ++ 172.16.0.2#### 172.16.1.0/24 These
6910 =========++--------------####---------172.16.2.0/24 are here somewhere
6911 Office Router Contivity
6914 This has worked for me. I am still having trouble with the tunnels
6915 dying after about 30-40 minutes of non-use. Don't know what that is
6916 about, but I'll keep you posted.
6918 <H3><A name="Raptor">Raptor Firewall</A></H3>
6919 <H4><A name="raptorNT">Raptor 5 on NT (old info)</A></H4>
6921 Subject: Interoperability with Raptor 5 (Success!)
6922 Date: Wed, 06 Jan 1999 16:19:27 -0500
6923 From: Chuck Bushong <chuckb@chandler-group.com>
6925 I don't know if this is useful information for anyone, but I have
6926 successfully established a VPN between RedHat 5.1 (kernel 2.0.34) running
6927 FreeS/WAN 0.91 and NT4 running Raptor 5. However, Pluto does not appear
6928 compatible with the Raptor IKE implementation. . . .
6930 Subject: RE: linux-ipsec: Interoperability with Raptor 5 (Success!)
6931 Date: Thu, 28 Jan 1999 17:22:55 -0500
6932 From: Chuck Bushong <chuckb@chandler-group.com>
6934 ... this VPN (at least the klips end) has been up under minimal
6935 utilization for three weeks plus without interruption. The
6936 machine seems very stable. Pat yourself on the back, gentlemen.
6937 Your beta release is more stable than certain companies' shipping
6940 Keep up the good work.
6942 <H4><A name="raptorsun">Raptor 6 on Solaris</A></H4>
6944 Subject: Re: successful interop. with Raptor 6.02
6945 From: "Charles G. Griebel" <cggrieb@biw.com>
6946 Date: Tue, 25 Jul 2000
6948 On Thu, Jul 20, 2000 at 12:04:40PM -0700, Kevin Traas wrote:
6949 > Great! I'm just about to start looking into this as well, so any
6950 > docs/info you can provide would be *greatly* appreciated. Immortalize
6951 > yourself! Get something written and added to the compatibility.html
6952 > file. Many will thank you.
6954 Can't be that hard. I'm just a freeswan newbie who hasn't even done a FS
6959 Anyway, I hope you find this helpful.
6963 -------------------------------------------------------------------------------
6965 Automatically keyed 3DES VPN between Raptor 6.02 on Solaris 2.6 (left) and
6966 FreeS/WAN 1.5 on 2.2.16 Intel (right)
6968 FreeS/WAN (right) information:
6969 -----------------------------
6974 interfaces="ipsec0=ppp0" # change to suite
6982 leftnexthop=10.0.0.2
6983 leftsubnet=192.168.0.0/24
6985 rightnexthop=10.1.1.1
6986 rightsubnet=172.16.1.0/24
6995 # note I haven't verified that underscores will actually work
6996 10.0.0.1 10.1.1.1: PSK "some_long_secret_with_plenty_of_chars"
6998 Raptor 6.02 (left) information:
6999 ------------------------------
7001 Name: left-external-kp-dynamic
7003 Profile Describing: local entity
7005 Identification Type: Address
7006 Identification: 10.1.1.1
7007 ISAKMP Hash Method: MD5
7008 ISAKMP Authentication: Shared_Key
7009 Shared Secret: some_long_secret_with_plenty_of_chars
7010 Time Expiration: 1080
7012 Name: right-external-kp-dynamic
7014 Profile Describing: remote entity
7016 Identification Type: Address
7017 Identification: 10.0.0.1
7020 Name: left-ss-dynamic
7021 Address: 192.168.0.0
7022 Netmask: 255.255.255.0
7023 Key Profile: left-ss-dynamic
7025 Name: right-ss-dynamic
7027 Netmask: 255.255.255.0
7028 Key Profile: right-ss-dynamic
7031 Name: left-to-right-tunnel
7032 Entity A: right-ss-dynamic
7033 Entity B: left-ss-dynamic
7034 Encapsulation: ISAKMP
7036 Pass traffic through proxies: [unchecked]
7037 Use Authentication Header: [unchecked]
7038 Use Encryption Header: [checked]
7039 Data Integrity Algorithm: MD5
7040 Data Privacy Algorithm: 3DES
7043 Data volume timeout: 2100000
7044 Lifetime timeout: 480
7045 Inactivity timeout: 0
7046 Transport mode: [unchecked]
7047 Perfect forward secrecy: [unchecked]
7052 I made the addresses fictitious RFC1918 addresses.
7053 I haven't tried PFS.
7054 I had problems getting an SA with manual keying -- I think it may be with the
7057 <H4><A name="raptorman">Raptor manual keying</A></H4>
7058 A mailing list suggestion from FreeS/WAN technical lead Henry Spencer:
7060 > In the Raptor settings, there are 2 sets of data (1 for each end). Each set
7061 > contains an SPI, 3 DES Keys and 1 MD5 hash. I only know how to include one
7062 > set, how do I include the other set? Is the other set needed?
7064 They may be using different keys for each direction, which is a bit
7065 unusual for manual keying, but not impossible. The simplest thing is
7066 probably to just give it two identical sets of data -- that should work.
7067 FreeS/WAN has provisions for asymmetric keys etc. in manual keying, but
7068 that stuff is lightly documented and lightly tested.
7070 <H3><A name="gauntlet">Gauntlet firewall GVPN</A></H3>
7072 Subject: Successful interop: FreeS/WAN 1.7
7074 Gauntlet Firewall GVPN 5.5
7075 Date: Tue, 21 Nov 2000
7077 Sending the following to the list, at Hugh's request.
7079 -----Original Message-----
7080 From: Reiner, Richard
7081 Sent: Tuesday, November 21, 2000 11:34 AM
7082 To: 'hugh@mimosa.com'
7086 > Good. But we don't think that you should be using our IPCOMP just
7087 > yet. It is flaky :-(
7089 I've seen no anomalies, although "allow ipcomp" is on at the Gauntlet
7090 end. Looking at my ipsec.conf I actually find no refereence to ipcomp.
7091 I presume it is disabled by default. In addition, reviewing my logs
7092 both on the Gauntlet end and the Linux end, I see nothing I can
7093 interpret as an indication that ipcomp was enabled during negotiation.
7094 So I have to correct my previous posting - I believe the link is *not*
7097 > This is interesting and we'd love a more complete writeup. It should
7098 > get incorporated into our interop documentation.
7100 Here are the relevant bits from ipsec.conf:
7103 interfaces=%defaultroute
7110 conn freeswan17-gauntlet55
7115 leftsubnet=10.0.1.0/24
7117 rightnexthop=3.3.3.4
7118 rightsubnet=10.0.2.0/24
7130 All settings on the Gauntlet side are the same (not shown here, as GUI
7131 screenshots are hard to show in ASCII... and the textual format that is
7132 generated by the Gauntlet GUI is ugly in the extreme).
7134 Note that ikelifetime is 1440m by default on the Gauntlet end, but
7135 freeswan does not support this value (max appears to be 480m), thus the
7136 Gauntlet end is also set to 480m to match freeswan's value.
7138 Also worth noting: I am using the excellent Seawall scripts to manage
7139 ipchains configuration on the freeswan end. It automatically generates
7140 a correct set of firewall rules for the link (along with doing many
7141 other convenient things).
7143 For more information on Seawall (the Seattle Firewall), see that
7144 project's <A href="http://seawall.sourceforge.net/">home page</A> on
7146 <H3><A name="checkpoint">Checkpoint Firewall-1</A></H3>
7147 <P> A PDF <A href="http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/fw-linuxvpn.pdf">
7148 HowTo</A> for connecting FreeS/WAN and this product can be downloaded
7149 from the vendor's site or browsed at a VPN mailing list <A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
7151 <P> The mailing list reports success with this combination, but also
7152 some problems. Search the <A href="#archive">archives</A> for the full
7154 <P> Here is one message, about what seems to be the biggest problem: </P>
7156 Subject: Re: Pb establishing connection from FW1/3DES/SP2 with freeswan 1.5 - ACTE 2
7157 Date: Tue, 6 Feb 2001
7158 From: Claudia Schmeing <claudia@freeswan.org>
7160 > Thanx to Michael and Claudia, but this doesn't work from VPN1 to linux (as
7161 > linux to VPN1 is OK).
7164 > I think that VPN1 doesn't send "192.168.1.0/24" but "192.168.1.20/32" and,
7165 > as Claudia said, IPSEC SA need to match Exactly.
7167 I don't know about the rules on the VPN-1. You'll have to rely on people
7168 with applicable experience there...
7170 > Is it possible that freeswan doesn't do the inclusion process (ie if he
7171 > receive 192.168.1.20/32, i doesn't match that this is include in
7172 > 192.168.1.0/24) ?
7174 Yes, that's correct. It needs to match exactly, and inclusion is not
7175 part of this process.
7177 > Btw why VPN/1 send 192.168.1.20/32 and not 192.168.1.20/24 (the value that
7178 > Freeswan is waiting for)? A bug?
7180 I think Michael may be able to help you with this.
7182 > Have i a way to force Freeswan to do the "inclusion" (ie accept
7183 > 192.168.1.20/32 as a part of 192.160.1.20/24, even if the 2 IPSEC Sa
7184 > doesn't match exactly) ?
7187 Another strategy is to accept the fact that the Checkpoint
7188 proposes separate connections for each machine. If you define
7189 and add each of these connections on the Linux FreeS/WAN side, then
7190 Linux FreeS/WAN ought to accept the Checkpoint's proposals.
7192 The only possible difficulty with this strategy is that I don't know
7193 how Linux FreeS/WAN handles the concept of overlapping tunnels. I
7194 believe, though, that these tunnels can coexist, and if for any
7195 packet there are two options, a more general and a less general, the
7196 packet will be handled by the more specific tunnel. You would need
7197 to do a little testing to ensure you understand the behaviour and
7198 that this does actually solve your problem.
7200 I think it would be simplest to try to get the Checkpoint to propose the
7201 more general tunnel. Since I don't recall having seen this problem before,
7202 I suspect the simpler solution is doable.
7204 <H3><A name="redcreek">Redcreek Ravlin</A></H3>
7205 We have reports of successful interoperation at an interop <A href="http://www.opus1.com/vpn/atl99display.html">
7206 conference</A>, but there is also a mailing list <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00510.html">
7207 thread</A> discussing difficulties some users have encountered.
7208 <H3><A name="sentinel">SSH Sentinel</A></H3>
7209 The vendor's <A href="http://www.ipsec.com/products/sentinel/documents.html">
7210 web site</A> has configuration examples for use with FreeS/WAN.
7211 <P> The vendor seems serious about interop with us. Here is a message
7212 one of their staff posted on our list: </P>
7214 From: Jussi Torhonen <jt@ssh.com>
7215 Organization: SSH Communications Security Corp - http://www.ssh.com
7216 Subject: [Users] SSH Sentinel VPN client public beta #3 now available
7217 Date: Thu, 31 May 2001
7219 Hello, FreeS/WAN community !
7221 SSH Communications Security Corp has released a new public beta #3
7222 version of SSH Sentinel VPN client for Windows. We've got a lot of
7223 reports also from FreeS/WAN community and with that feedback we've
7224 improved interoperability and stability.
7226 For example PFS (Perfect Forward Secrecy in IKE rekey) can now be used
7227 between SSH Sentinel and FreeSWAN, and if using that user contributed
7228 X.509 patch and exporting the certificate from SSH Sentinel, now those
7229 -----[BEGIN|END] CERTIFICATE----- headers/footers are properly included
7230 in the exported PEM formatted certificate, so it can be imported to
7231 FreeSWAN with fswcert utility and OpenSSL tools.
7233 Thank you a lot for your feedback, colleagues !
7235 You can get that new public beta #3 and PDF formatted User Manual from
7236 ftp://ftp.ssh.com/pub/sentinel/ or via website
7237 http://www.ipsec.com/products/sentinel/beta/register.html
7239 For more information about the product, please check our website
7240 http://www.ipsec.com
7242 We eagerly want to make SSH Sentinel as the best VPN client on the
7243 market. If you want to contact our support, please send e-mail to
7244 sentinel-support@ssh.com or fill up our feedback form at
7245 http://www.ipsec.com/support/sentinel/beta_report.html
7248 Jussi Torhonen, SSH Sentinel Team
7251 <H3><A name="Fsecure">F-Secure VPN for Windows</A></H3>
7252 <PRE> Subject: linux-ipsec: Identification through other than IP number
7253 Date: Tue, 13 Apr 1999
7254 From: Thomas Bellman <bellman@signum.se>
7256 ... Currently we are trying to interop FreeS/WAN
7257 with F-Secure VPN+ Client 4.0 (for MS Windows), and as long as
7258 the Windows machine has a fix IP address, and are initiating the
7259 IKE negotiations, things are working well. However, when the IP
7260 address is changing, it doesn't work. ...
7261 (I'll try to write something up about the problems we are having
7262 when Pluto is initiatior in another message.)
7264 <H3><A name="watchguard">Watchguard</A></H3>
7265 <P> Watchguard make a Linux-based firewall product. Ipchains author
7266 Rusty Russell thanks them for support and recommends them in one of his <A
7267 href="http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-3.html#ss3.2">HowTos</A>
7268 . On the other hand, some comments on our mailing list about the
7269 Watchguard product have been quite unfavourable. See, for example, this <A
7270 href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/08/msg00474.html">
7271 archive message</A>. </P>
7272 <P> Watchguard do not use FreeS/WAN in their product. They have their
7273 own IPSEC implementation. </P>
7274 <P> We have had mailing list reports of successful interoperation
7275 between FreeS/WAN and the Watchguard firewall, using manually keyed
7276 connections. The user could not get automatically keyed connections to
7277 work; the message below explains this. </P>
7278 <P> Here is some mail from a Watchguard employee about interoperation: </P>
7280 Subject: FreeS/WAN and WatchGuard Firebox interop
7281 Date: Mon, 18 Dec 2000
7282 From: Max Enders <menders@watchguard.com>
7284 I was recently given the task of testing IPSec interoperability
7285 with our product, the Firebox. I just wanted to let you know that
7286 I had success with a manual keyed tunnel. Here's what I used for
7290 Linux 2.2.18 i686 unknown
7292 "Trusted" interface: 192.168.0.1/24
7293 "External" interface: 192.168.1.1/24
7296 WatchGuard Live Security System v4.5
7297 Trusted interface: 192.168.2.1/24
7298 External interface: 192.168.1.2/24
7300 Because FreeS/WAN does not implement single DES, a dynamic keyed
7301 tunnel will not work. Our product strictly uses DES for main mode.
7302 We hope to address this in a future release. Here are instructions
7303 for configuring the Firebox:
7305 Open the Policy Manager and create a new IPSec gateway. Set the Key
7306 Negotiation Type to manual and enter the FreeS/WAN box's external
7307 IP address for the Remote Gateway IP. Configure a new tunnel with
7308 a unique SPI. Select 3DES-CBC for Encryption and MD5-HMAC for
7309 Authentication. Make an Encryption Key and Authentication Key.
7310 Copy the values and save them for configuration of the FreeS/WAN box.
7311 Configure a routing policy and any necessary services as you normally
7314 Here's how I configured FreeS/WAN:
7316 Modifications to /etc/ipsec.conf:
7318 Under the "config setup" section, add:
7322 At the end of the file, add the following connection:
7326 leftsubnet=192.168.0.0/24
7328 rightsubnet=192.168.2.0/24
7331 espenckey=0x515b0875793e3708517c3d4554012f7c0273375e51572a31
7332 espauthkey=0x072649041c2c0d452f7c15407576522f
7334 The spi used here should match the Firebox's. Note that the Policy Manager
7335 expects an SPI in decimal, not hexadecimal. The espenckey value should be
7336 0x and the Encryption Key you're using on the Firebox. Likewise for
7337 espauthkey and the Authentication Key on the Firebox.
7341 Subject: RE: Freeswan
7342 Date: Wed, 7 Feb 2001
7343 From: "Patrick Poncet" <pponcet@vaxxine.com>
7347 Voila... I wish to thank all the FreeS/WAN for putting out such a great
7348 product out! And also Philippe PAULEAU who pioneered interoperability
7349 between FreeS/WAN and Watchguard Firebox II and therefore showed me that my
7350 efforts would not be wasted!...
7352 Yes indeed FreeS/WAN to WatchGuard Firebox only works in manual keying mode
7353 and the best way to generate keys is to have the firebox generate the keys,
7354 then copy and paste into the ipsec.conf file on the FreeS/WAN side (don't
7355 forget to prefix the keys with '0x' in your ipsec.conf file.
7357 Also keep in mind that the SPI is in decimal on the Firebox side and HEX on
7358 the FreeS/WAN side!!! We spent 4 hours on fixing this HEX-DEC issue only :)
7360 <H3><A name="Xedia">Xedia Access Point/QVPN</A></H3>
7361 <PRE> Subject: linux-ipsec: Interoperability result
7362 Date: Mon, 15 Mar 1999 18:08:12 -0500
7363 From: Paul Koning <pkoning@xedia.com>
7365 Here's another datapoint for the "FreeS/WAN interoperability
7368 I tested 0.92 against the Xedia Access Point/QVPN product, using
7369 dynamic keying (i.e., Pluto at work).
7371 Results: it works fine so long as you ask for 3DES. DES and no-crypto
7372 modes don't work when Pluto is involved.
7374 I did limited data testing, which seemed to be fine. No performance
7375 numbers yet, could do that if people are interested.
7377 Any questions, please ask.
7381 <H3><A name="pgpnet">PGP Mac and Windows IPSEC Client</A></H3>
7382 <P> Since version 6.5, the <A href="#PGP">PGP</A> products from <A href="http://www.pgp.com/">
7383 PGP Inc.</A> have included an IPSEC client program.</P>
7384 <P> Here is the first message about it to our mailing list, from a
7385 senior PGP employee:</P>
7386 <PRE> Subject: linux-ipsec: PGPnet interoperable with FreeSWAN
7387 Date: Mon, 05 Apr 1999 18:06:13 -0700
7388 From: Will Price <wprice@cyphers.net>
7389 To: linux-ipsec@clinet.fi
7391 Network Associates announced PGP 6.5 today. It includes a new product
7392 PGPnet which is a full IKE/IPSec client implementation. This product
7393 is for Windows and Macintosh. I just wanted to send a brief note to
7394 this list that the product was compatibility tested with FreeSWAN
7395 prior to its release, and the tests were successful!
7398 Will Price, Architect/Sr. Mgr., PGP Client Products
7399 Total Network Security Division
7400 Network Associates, Inc.</PRE>
7401 <P> One version is downloadable at no cost for non-commercial use. See
7402 our <A href="#tools">links</A>. That version does not support subnets. </P>
7403 <P> Several of the user-written HowTos mentioned <A href="#otherpub">
7404 above</A> cover interoperation between PGPnet and FreeS/WAN.</P>
7405 <P> A more recent post from the same PGP Inc staff member pointed out: </P>
7407 Make sure you're using PGP 7.0 or later as the key parser was improved
7408 in that release. (PGP 7.0.1 was just released)
7410 <P> Various users have reported various successes and problems talking
7411 to PGPnet with FreeS/WAN. There has also been a fairly complex
7412 discussion of some fine points of RFC interpretation between the
7413 implementers of the two systems. Check an archive of our <A href="mail.html">
7414 mailing list</A> for details.</P>
7415 <P> A post summarising some of this, from our Pluto programmer:</P>
7417 Subject: PGPnet 6.5 and freeswan
7418 Date: Sun, 16 Jan 2000
7419 From: "D. Hugh Redelmeier" <hugh@mimosa.com>
7423 | OK, I'm stumped. I am trying to configure IPSEC to support road
7424 | warriors using PGPnet 6.5.
7426 | I've set up everything as per the man pages on the ipsec side.
7428 | I've set up everything on the PGPnet side per the docs for that package.
7430 | Pluto fails with this:
7432 | Jan 16 08:14:11 aphrodite Pluto[26401]: "homeusers" #8: no acceptable
7435 | and then it terminates the connection.
7437 As far as I can tell/remember, there are three common ways that PGPnet
7438 and FreeS/WAN don't get along.
7440 1. PGPnet proposes a longer lifetime for an SA than Pluto is willing
7443 2. After rekeying (i.e. after building a new SA bundle because the old
7444 one is about to expire), FreeS/WAN immediately switches to the new
7445 one while PGPnet continues using the old
7447 3. FreeS/WAN defaults to expecting Perfect Forward Secrecy and PGPnet
7450 Perhaps you are bumping into the first. In any case, look back
7451 in the log to see why Pluto rejected each transform
7453 <P> Some advice from the mailing list:</P>
7455 Subject: Re: Secure Gate Fails- PGPNet & FreeSwan
7456 Date: Wed, 28 Jun 2000
7457 From: Andreas Haumer <andreas@xss.co.at>
7459 I have a PGPnet setup running with FreeS/WAN working as secure
7460 gateway. It works quite fine, except for a re-negotiation problem
7461 I'm currently investigating, and in fact I have it running on some
7462 test equipment here right now!
7464 As I tried _several_ different non-working configuration settings
7465 I think I know the exact _one_ which works... :-)
7467 Here's my short "HOWTO":
7469 FreeS/WAN version: snap1000jun25b
7470 PGPnet: PGP Personal Privacy, Version 6.5.3
7471 Linux: 2.2.16 with some patches
7476 internal subnet [192.168.x.0/24]
7479 secure gateway with FreeS/WAN
7487 | [dynamically assigned IP address]
7488 road-warrior with PGPnet
7491 Configuration of FreeS/WAN:
7492 ==========================
7497 interfaces=%defaultroute
7514 leftsubnet=192.168.x.0/24
7519 b) /etc/ipsec.secrets
7521 a.b.c.x 0.0.0.0: "my very secret secret"
7524 Note: If you are running ipchains on your secure gateway,
7525 you have to open the firewall for all the IPsec packets
7526 and also for traffic from your ipsec interface!
7527 Don't masquerade the IPsec traffic!
7529 Check your logfiles if the firewall is blocking some
7533 Configuration of PGPnet:
7534 =======================
7536 (note that there is an excellent description, including
7537 screenshots of PGPnet, on <http://jixen.tripod.com/>)
7539 In short, do the following:
7541 Launch the PGPnet configuration tool and set defaults options
7542 =============================================================
7544 Start - Program - PGP - PGPnet
7548 Allow communications with unconfigured hosts
7549 Require valid authentication key
7550 Cache passphrases between logins
7555 Ciphers : Tripple DES
7557 Diffie-Hellman : 1024 and 1536
7558 Compression : LZS and Deflate
7559 Make the IKE proposal :
7560 Shared-Key - MD5 - 3DES -1024 bits on top of the list (move up)
7561 Make the IPSec proposal :
7562 NONE - MD5-TrippleDES -NONE on top of the list (move up)
7563 Select Perfect Forward Secrecy = 1024 bits
7567 Create the connection's definition.
7568 ==================================
7570 In the Hosts panel, ADD
7571 Name : Enter a name for the right gateway
7572 IPaddress : Enter its IP address visible to the internet (a.b.c.x)
7573 Select Secure Gateway
7574 Set shared Paraphrase : enter you preshared key
7575 Identity type : select IP address
7576 Identity : enter 0.0.0.0
7577 Remote Authentication : select Any valid key
7579 Select the newly created entry for the right gateway and click ADD,
7581 Name : Enter a name for the central subnet
7582 IP address : Enter its network IP address (192.168.x.0)
7583 Select Insecure Subnet
7584 Subnet Mask : enter its subnetmask (255.255.255.0)
7588 This should be it. Note that with this configuration there is
7589 still this re-keying problem: after 6 hours, the SA is expired
7590 and the connection fails. You have to re-connect your connection
7592 <P>and a note from the team's tech support person:</P>
7593 <PRE>Date: Thu, 29 Jun 2000
7594 From: Claudia Schmeing
7596 There is a known issue with PGPNet which I don't see mentioned in the docs.
7597 It's likely related to this one, that you note on the site:
7599 >2. After rekeying (i.e. after building a new SA bundle because the old
7600 > one is about to expire), FreeS/WAN immediately switches to the new
7601 > one while PGPnet continues using the old
7603 The issue is: When taking down and subsequently recreating a connection,
7604 it can appear to come up, but it is unusable because PGPNet continues
7605 to use an old SA, which Linux FreeS/WAN no longer recognizes. The solution is
7606 to take down the old connection using PGPNet, so that it will then
7607 use the most recently generated SA.</PRE>
7608 <H3><A name="IRE">IRE Safenet/SoftPK</A></H3>
7609 <P> IRE have an extensive line of IPSEC products, including firewall
7610 software with IPSEC, and hardware encryption devices for LAN or modem
7611 links. Their Soft-PK is a Win 98 and NT client.</P>
7612 <P> Quite a few people seem to be using this with FreeS/WAN and,
7613 judging by mailing list reports, to be getting good results. Several
7614 documents are available: </P>
7616 <LI><A href="http://www.terradoncommunications.com/security/whitepapers/safe_net-to-free_swan.pdf">
7617 PDF HowTo</A> titled <CITE>FreeS/WAN 1.8 <--> IRE Safenet SoftPK 5.1.0
7618 Road-Warrior VPN Configuration Guide</CITE> from Terradon
7619 Communications. </LI>
7620 <LI><A href="http://www.redbaronconsulting.com/freeswan/fswansafenet.pdf">
7621 PDF document</A> from Red Baron Consulting. </LI>
7622 <LI><A href="http://jixen.tripod.com/#Rw-IRE-to-Fwan"> IRE-to-FreeS/WAN
7623 section</A> of Jean-Francois Nadeau's configuration document </LI>
7625 <P>Some messages from the mailing list:</P>
7627 Subject: Re: Identification through other than IP number
7628 Date: Fri, 23 Apr 1999
7629 From: Tim Miller <cerebus+counterpane@haybaler.sackheads.org>
7633 > Anyone know of a low-cost MS-Win client that interoperates and does not
7634 > require purchasing a server license to get it?
7636 SafeNet/Soft-PK from IRE (http://www.ire.com) is a low-cost
7637 client (though I don't have the exact cost available at the moment).
7638 I've got it running on an NT4 workstation and it interoperates nicely
7639 (in transport mode, will try tunnel later) with FreeS/WAN. It's also
7640 ICSA IPsec certified.
7642 A later report from a different user:
7644 Subject: Interop.. testing. WIN32 client : Success Story
7645 Date: Thu, 11 Nov 1999
7646 From: Jean-Francois Nadeau <jna@microflex.ca>
7648 You can add IRE's products in the supported, well working (and cheap)
7649 WIN32 client. I tested it (SafeNet SoftPK 3DES) against Freeswan 1.0
7650 and 1.1 in both tunnel and transport mode in a RoadWarrior configuration. No bug.
7652 The software is light, non-intrusive and transparent for the user.....defenitly,
7655 The tunnel is establish on demand.
7657 Using shared keys....but hope to use certificates with it soon (well,
7658 when Freeswan will ;)).
7660 A recent report with some setup details:
7662 Subject: RE: linux-ipsec: PGPnet and Freeswan one more time...
7663 Date: Sat, 16 Dec 2000
7664 From: "Tim Wilson" <timwilson@mediaone.net>
7666 Here are some details about using the IRE SafeNet Soft/PK client with a
7669 I applied the x509 patch to Pluto according to the instructions. I use the
7670 "leftcert" and "rightcert" keywords in the ipsec.conf file. This causes
7671 FreeSwan to read the public keys and identities from the cert files. The
7672 identities wanted and used by FreeSwan will then be the DNs in the certs.
7674 I used OpenSSL to generate keys and certs and to sign certs. When generating
7675 the gateway cert, you should *not* enter an e-mail address because it turns
7676 out that confuses Soft/PK. Also, Andreas Steffan tells me that you want to
7677 keep the cert short to avoid fragmentation, so use a 1024-bit RSA key and
7680 The FreeSwan gateway cert goes in /etc/ipsec.d/, the gateway private key is
7681 extracted from the key file using fswcert (part of the x509 patch) and
7682 pasted into /etc/ipsec.secrets, and a DER version of the gateway cert goes
7683 in /etc/x509cert.der. This is all according to the instructions that
7684 accompany the x509 patch.
7686 The Windows client is of course running Soft/PK in this case. I generated a
7687 private key and cert for the client on the Linux machine using OpenSSL. I
7688 created a pkcs12 file containing the client's private key and cert, which I
7689 put on a floppy and imported into Soft/PK. I also imported the gateway cert
7690 into Soft/PK (you can either import a self-signed cert for the gateway or
7691 the self-signed cert for the CA that signed the gateway cert--either works).
7693 Soft/PK allows you to configure practically everything for the connection.
7694 Here are the main points to watch for:
7696 On the first panel you have to set the peer identities. The gateway will
7697 identify itself using the DN in the gateway cert. So of course you have to
7698 configure Soft/PK to look for the correct DN. There's no problem with this
7699 as long as you didn't enter an e-mail address in the gateway cert. Just
7700 check "Connect using Secure Gateway tunnel", set ID type to "Distinguished
7701 Name", and enter the correct info in the dialog box.
7703 In "My identity" just select the client cert that you imported in pcks12
7704 format. Soft/PK apparently identifies itself with the DN from the cert,
7705 which is exactly what FreeSwan is looking for.
7707 In "Security Policy", you want Main mode and make the PFS setting agree with
7708 whatever FreeSwan is doing (FreeSwan uses PFS by default). If you use PFS I
7709 believe you must use DH group 2 as FreeSwan doesn't like group 1.
7711 Phase 1 Authentication must be "RSA signatures" and 3DES plus either MD5 or
7712 SHA-1 (I used MD5 but I believe FreeSwan accepts either). I left the
7713 lifetime unspecified. Also you must select DH group 2 because I believe that
7714 FreeSwan will not accept group 1.
7716 Phase 2 also must use 3DES and MD5 or SHA-1. I used no compression and only
7717 ESP and no AH, haven't tried other choices.
7721 <H3><A name="borderware">Borderware</A></H3>
7722 <H3><A name="freegate">Freegate</A></H3>
7723 <PRE>Subject: ipsec interoperability FYI
7724 Date: Sun, 02 May 1999
7725 From: Sean Rooney <sean@coldstream.ca>
7727 we've been doing some basic interoperability testing of the following;
7729 PGP NT VPN 6.5 and freeswan both seem to work reasonably well with
7730 Borderware 6.0 and freegate 1.3 beta. [as well as eachother]
7732 more details coming soon.</PRE>
7733 <H3><A name="timestep">Timestep</A></H3>
7735 Subject: TimeStep Permit/Gate interop works!
7736 Date: Thu, 10 Jun 1999
7737 From: Derick Cassidy <dcthebrain@geek.com>
7739 Just a quick note of success. TimeStep Permit/Gate (2520) and
7740 Free/Swan (June 4th snapshot) interoperate!
7742 I have them working in AUTO mode, with IKE. IPSec SA's are negotiated
7745 Here are the configs and a diagram for both configs.
7747 left subnet---| Timestep | --- internet --- | Linux box |
7749 The left subnet is defined as the red side of the timestep box.
7750 This network definition MUST exist in the Secure Map.
7759 leftnexthop=209.yyy.xxx.1
7760 leftsubnet=209.yyy.xxx.128/25
7761 right=24.aaa.bbb.203
7762 rightnexthop=24.aaa.bbb.1
7763 rightsubnet=24.aaa.bbb.203/32
7768 In the TimeStep permit/gate Secure Map
7771 target "209.yyy.xxx.128/255.255.255.128"
7772 mode "ISAKMP-Shared"
7773 tunnel "209.yyy.xxx.6"
7776 In the TimeStep Security Descriptor file
7778 begin security-descriptor
7779 Name "High"
7780 IPSec "ESP 3DES MINUTES 300 or ESP 3DES HMAC MD5 MINUTES 300"
7781 ISAKMP "IDENTITY PFS 3DES MD5 MINUTES 1440
7782 or DES MD5 MINUTES 1440"
7785 The timestep has a shared secret for 24.aaa.bbb.203/255.255.255.255
7786 set in the Shared Secret Authentication tab of Permit/Config.</PRE>
7787 <H3><A name="shiva">Shiva/Intel LANrover</A></H3>
7788 <P>A <A href="http://snowcrash.tdyc.com/freeswan/">web page</A> with
7789 Shiva compatibility information.</P>
7790 <H3><A name="solaris">Sun Solaris</A></H3>
7791 <PRE> Subject: Re: FreeS/WAN and Solaris
7792 Date: Tue, 11 Jan 2000
7793 From: Peter Onion <Peter.Onion@btinternet.com>
7795 Slowaris 8 has a native (in kernel) IPSEC implementation.
7797 I've not done much interop testing yet, but I seem to rememeber we got a manual
7798 keyed connection between it and FreeSwan a few months ago.</PRE>
7799 <H3><A name="sonicwall">Sonicwall</A></H3>
7801 Subject: Re: FreeS/WAN and SonicWall
7802 Date: Mon, 5 Feb 2001
7803 From: "Dilan Arumainathan" <dilan_a@impark.com>
7805 ***************************************************
7806 I know I HAVE TO write the mini-howto - but here is the beginning
7807 ***************************************************
7809 Here is my Sonicwall configuration for my working connection:
7815 rightnexthop=y.y.y.y
7816 rightsubnet=10.1.20.0/24
7817 #You need to set the Unique Firewall Identifier to the parameter that you
7818 #use as the rightid.
7820 rightid=sw@sonicwall.com
7827 Your /etc/ipsec.secrets should be like this:
7828 x.x.x.x y.y.y.y sw@sonicwall.com : PSK "opensesame"
7830 On the Sonicwall create a new connection:
7833 IPSec Gateway address: 0.0.0.0
7835 Encryption Method: Strong Encrypt and Authenticate( EPS 3DES HMAC MD5)
7836 Shared Secret: opensesame
7841 <H3><A name="radguard">Radguard</A></H3>
7842 Here are some mailing list comments from FreeS/WAN tech support person
7843 Claudia Schmeing on this:
7845 It certainly has been possible to interop between Radguard VPN gateways and
7846 past Linux FreeS/WAN versions, as is evidenced by
7847 http://www.opus1.com/vpn/atl99display.html, as well as my own interop results
7848 from San Diego this year. There have been no major changes since SD that
7849 I would foresee affecting this.
7851 The Radguard team said that their VPN gateway will not respond to a peer
7852 request with PFS (Perfect Forward Secrecy) on, but it *will* successfully
7853 establish such a connection with Linux FreeS/WAN when Radguard is the
7854 initiator. Since PFS is a desirable feature in terms of cryptographic
7855 security, this asymmetry may frustrate efforts to provide a connection that
7856 is both as reliable as secure as possible.
7858 While it's not clear that rekeying will present a problem, I suspect that
7859 some fine tuning of the key life parameters may be needed. Unfortunately
7860 I was unable to do additional tests on this topic.
7862 Due to the PFS issue, when trying to maintain a connection with PFS,
7863 you may need to set the rekeying times shorter on the radguard side,
7864 in order to ensure that it is always the initiator.
7866 <H3><A name="winclient">Windows clients</A></H3>
7867 <P> Quite a number of client programs for IPSEC on Windows are
7868 available. Many of them are listed in this piece of list mail:</P>
7870 Subject: Re: Searching Windows95/98 and NT4.0 Clients for FreeS/WAN
7871 From: Claudia Schmeing <claudia@coldstream.ca>
7872 Date: Wed, 12 Jul 2000
7876 for Win 95, 98 and NT 4.0
7877 http://www.datafellows.com/products/vpnplus
7880 Checkpoint SecureRemote VPN-1 4.1
7881 ---------------------------------
7882 for Win 95, 98 and NT
7883 http://www.checkpoint.com/techsupport/freedownloads.html
7886 Raptor Firewall, Raptor MobileNT 5.0
7887 -------------------------------------
7888 Mobile NT is a "Client"* for Win 95, 98 (except SE), First Edition Windows NT
7889 up to Service Pack 4. It ships with DES; triple DES may be available as an
7890 add-on depending on your location.
7892 Firewall is for Win NT 4.0 or Win 2000.
7893 http://www.axent.com
7898 a "Client" for Win 95, 98 and NT 4.0 *
7902 Xedia's AccessPoint QVPN "Client" or "Builder"
7903 ----------------------------------------------
7904 "Builder" is for NT
7905 "Client" is for Win 98 *
7906 http://www.xedia.com
7908 * "Client" in this context indicates software that does not support a subnet
7909 behind its end of the connection.
7911 <P> That mail omits the <A href="#pgpnet">PGPnet client</A> because the
7912 user asking the question already knew of it. The <A href="#sentinel">
7913 SSH Sentinel</A> client, released since the above message, is another
7914 possibility. Both of those have members of the vendor's staff active on
7915 our mailing list, an excellent sign for both interoperability and
7917 <P> We also know of some Windows IPSEC clients not mentioned above: </P>
7919 <LI><A href="http://www.lucent.com/ins/products/ipsec/">Lucent</A></LI>
7920 <LI><A href="http://www.ashleylaurent.com/">Ashleylaurent</A></LI>
7922 <P> No doubt there are others we don't know of. </P>
7923 <H3><A name="NTdomain">NT domains vs. tunnels</A></H3>
7924 There has been some mailing list discussion of making NT domains work
7925 across FreeS/WAN tunnels.
7926 <P> Robert Cotran asked: </P>
7928 > I have a VPN setup between two subnets (192.168.1.x and 192.168.2.x). I
7929 > would like to be able to join the NT domain on 192.168.1.x from the
7930 > 192.168.2.x subnet. Is this possible? Do I have to forward specific ports
7931 > to do this? I've already set up WINS entries for all the machines, so
7932 > accessing computers by their NetBIOS names works perfectly. Please let me
7933 > know about this domain thing. Thanks!
7935 Dilan Arumainathan answered:
7937 All you need to do is to:
7939 1. Enable NetBIOS over TCP.
7940 2. Create a "lmhosts" file and enter the address of a BDC or a PDC like
7941 192.168.1.[x] [Your PDC/BDC servername] #PRE #DOM:[Your Domain Name]
7942 eg. 192.168.1.1 MYOWNPDC #PRE #DOM:DENSI-NT
7944 3. Reboot if necessary.
7946 and Sebastien Pfieffer provided a slightly different answer:
7948 For a trust relationship to work between NT domains in different
7949 (sub)nets all domain controllers of the 1st domain have to know about
7950 all controllers of the other domain.
7951 Either you use the described LMHOSTS entry for every domain controller
7952 of both domains or consider setting up WINS service(s).
7954 We suspect that in some cases it may be more complex than that. See
7955 the discussion of <A href="#lin2k">Linux services and Windows 2000</A>
7956 below and the <A href="#otherpub">Interop HowTo</A> documents listed
7958 <H3><A name="win2k">Windows 2000</A></H3>
7959 <P> Windows 2000 ships with an IPSEC implementation built in. There may
7960 be restrictions. We have had mailing list reports that only the server
7961 version will act as a gateway, working with a subnet behind it, and
7962 other versions offer only "client" functionality, with no subnet. We
7963 are unclear on details.</P>
7964 <P>Some versions of Windows 2000 ship with only weak encryption. You
7965 need to upgrade them with the strong encryption pack, available either
7966 via the Windows 2000 update service or from Microsoft's web site.</P>
7967 <P>Windows 2000 IPSEC sometimes exhibits remarkably odd behaviour. It
7968 will allow you to configure it for 3DES only, then ignore your
7969 settings and fall back to single DES in some circumstances. Microsoft
7970 have said they will fix this. See this <A href="http://www.wired.com/news/technology/0,1282,36336,00.html">
7971 Wired article</A>.</P>
7972 <H4><A name="lin2k">Other Linux services related to Win 2000</A></H4>
7973 <P> Windows 2000 also uses a number of other security mechanisms which
7974 have Linux equivalents. To integrate well with Windows 2000, you may
7975 need to look at several open source projects other than FreeS/WAN:</P>
7977 <LI>Windows 2000 builds L2TP tunnels over (some of?) its IPSEC
7978 connections. There is a Linux <A href="http://www.marko.net/l2tp/">
7979 L2TP Daemon</A>.</LI>
7980 <LI>Kerberos authentication is used in Windows 2000.
7982 <LI><A href="http://web.mit.edu/network/kerberos-form.html">MIT
7983 Kerberos site</A></LI>
7984 <LI><A href="http://consult.stanford.edu/afsinfo/kerberos.shtml">
7985 introductory document</A></LI>
7986 <LI>Kerberos <A href="http://alycia.dementia.org/kerberos.html"> links
7990 <P> The Windows 2000 Kerberos implementation includes proprietary
7991 modifications. This is a security worry since it is by no means clear
7992 that the modified version remains secure. It also creates
7993 interoperation problems. Microsoft have released documentation on their
7994 modifications, but only under a license that hampers attempts either to
7995 audit their code for security flaws or to build other implementations
7996 that interoperate with it.</P>
7997 <LI><A href="http://www.samba.org/">Samba</A> is a Linux implementation
7998 of the Windows SMB protocol, allowing disk sharing and other network
8000 <LI><A href="http://tipxd.sourceforge.net/">tipxd</A>, the Tunelling
8001 IPX Daemon, encapsulates IPX for transport over IP. </LI>
8003 Here is a mailing list message, from FreeS/WAN team tech support
8004 person Claudia Schmeing, discussing Windows 2000 and L2TP:
8008 > I want some information about IPsec with L2TP.
8009 > I'm going to build the IPsec tunnel on the L2TP tunnel.
8011 > Is there any case like this already implemented?
8013 It's used, but rarely. In many cases, IPSec alone is sufficient.
8015 In this thread, Timo Teras reports that he configured the L2TP/IPSec
8016 hybrid with Win2k. He gives some pointers.
8017 http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00545.html
8019 See also John P. Eisenmenger's report on his own experiences at:
8020 http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/02/msg00195.html
8022 <H4><A name="interop.win2k">FreeS/WAN-to-Win2000 interop</A></H4>
8023 <P> As for IPSEC interoperation between Windows 2000 and FreeS/WAN,
8024 there are several web sites listed under <A href="#otherpub">Interop
8025 HowTo</A> documents above.</P>
8026 <P>Here is a discussion from the mailing list:</P>
8027 <PRE>From: "Jean-Francois Nadeau" <jna@microflex.ca>
8028 Subject: Win2000 IPsec interop. in tunnel mode
8029 Date: Tue, 29 Feb 2000
8031 This was a pain.... but it worked. ;)
8033 Win2000 Server against Freeswan 1.1 in tunnel mode is a success.
8038 Kernel 2.2.12 running Freeswan 1.1
8039 Using 3DES-MD5 and PreShared Keys.
8042 M$ Win2000 Advanced server patched for 3DES
8045 Here's the setup for the Win2000 Server.
8047 Open an MMC with the IPsec Security policy editor snap-in.
8048 Create a new IP Security Policy.
8049 Create 2 IP SECURITY RULES. One for inbound traffic and one for outbound trafic (see below)
8050 Create 2 IP FILTERS. One for inbound traffic and one for outbound trafic (see below)
8051 Assign the inbound IP SECURITY RULE to the inbound IP FILTERS, same for outbound.
8052 Select both IP SECURITY RULES.
8053 Select your IP Security Policy, right click and ASSIGN.
8056 We need an example to clarify that !@#! logic :
8060 Conn Interop_Testing
8062 Leftsubnet=10.0.0.0/8
8064 Rightsubnet=192.168.0.0/24
8069 IP Security Policy : Interop_Testing
8072 1st IP Security rule : Left_to_Right
8073 IP Filter List : Left_to_Right
8074 Source Address = 1.2.3.4
8075 Destination Address = A specific Subnet = 192.168.0.0 255.255.255.0
8076 Filter Action : Request Security
8077 Connections type : All connections
8078 Tunnel Settings : Endpoint = 9.8.7.6
8079 Authentication Method = PreSharedKey=yourkey
8083 2nd IP Security rule : Right_to_Left
8084 IP Filter List : Right_to_Left
8085 Source Address = 9.8.7.6
8086 Destination Address = A specific Subnet = 10.0.0.0 255.0.0.0
8087 Filter Action : Request Security
8088 Connections type : All connections
8089 Tunnel Settings : Endpoint = 1.2.3.4
8090 Authentication Method = PreSharedKey=yourkey
8096 Do not use mirroring in your IP filters.
8097 Move your main proposal to the top (in my case 3DES-MD5)
8100 It worked... but a RoadWarrior configuration doesnt seems to be
8101 possible here (must specify both Endpoints and 0.0.0.0 is not acceptable).
8104 Jean-Francois Nadeau
8107 <P> The RoadWarrior problem has since been solved. RSA authentication
8108 has been added to FreeS/WAN since the above message was posted. </P>
8110 <H1><A name="politics">History and politics of cryptography</A></H1>
8111 <P> Cryptography has a long and interesting history, and has been the
8112 subject of considerable political controversy. </P>
8113 <H2><A name="intro.politics">Introduction</A></H2>
8114 <H3><A NAME="11_1_1">History</A></H3>
8115 <P> The classic book on the history of cryptography is David Kahn's <A href="#Kahn">
8116 The Codebreakers</A>. It traces codes and codebreaking from ancient
8117 Egypt to the 20th century. </P>
8118 <P> Diffie and Landau <A href="#diffie">Privacy on the Line: The
8119 Politics of Wiretapping and Encryption</A> covers the history from the
8120 First World War to the 1990s, with an emphasis on the US. </P>
8121 <H4>World War II</H4>
8122 During the Second World War, the British "Ultra"project achieved one
8123 of the greatest intelligence triumphs in the history of warfare,
8124 breaking many Axis codes. One major target was the Enigma cipher
8125 machine, a German device whose users were convinced it was unbreakable.
8126 The American "Magic" project had some similar triumphs against Japanese
8128 <P> There are many books on this period. See our bibliography for a
8129 few, or try a (web or library) search on "Ultra" and "Enigma". Two
8130 books I particularly like are: </P>
8132 <LI>Andrew Hodges has done a superb <A href="http://www.turing.org.uk/book/">
8133 biography</A> of Alan Turing, a key player among the Ultra
8134 codebreakers. Turing was also an important computer pioneer. The terms <A
8135 href="http://www.abelard.org/turpap/turpap.htm">Turing test</A> and <A href="http://plato.stanford.edu/entries/turing-machine/">
8136 Turing machine</A> are named for him, as is the <A href="http://www.acm.org">
8137 ACM</A>'s highest technical <A href="http://www.acm.org/awards/taward.html">
8139 <LI> Neal Stephenson's <A href="#neal">Cryptonomicon</A> is a novel
8140 with cryptography central to the plot. Parts of it take place during WW
8141 II, other parts today. </LI>
8143 <P> Bletchley Park, where much of the Ultra work was done, now has a
8144 museum and a <A href="http://www.bletchleypark.org.uk/"> web site</A>. </P>
8145 <P> The Ultra work introduced three major innovations. </P>
8147 <LI>The first break of Enigma was achieved by Polish Intelligence in
8148 1931. Until then most code-breakers had been linguists, but a different
8149 approach was needed to break machine ciphers. Polish Intelligence
8150 realised this, recruited some clever young mathematicians, and
8151 succeeded in cracking the "unbreakable" Enigma. When war came in 1939,
8152 the Poles told their allies about this, putting Britain on the road to
8153 Ultra. The British also adopted a mathematical approach. </LI>
8154 <LI>Machines were extensively used in the attacks. First the Polish
8155 "Bombe" for attacking Enigma, then British versions of it, then
8156 machines such as Collosus for attacking other codes. By the end of the
8157 war, some of these machines were beginning to closely resemble digital
8158 computers. After the war, a team at Manchester University, several old
8159 Ultra hands included, built one of the world's first actual
8160 general-purpose digital computers. </LI>
8161 <LI>Ultra made codebreaking a large-scale enterprise, producing
8162 intelligence on an industrial scale. This was not a "black chamber",
8163 not a hidden room in some obscure government building with a small crew
8164 of code-breakers. The whole operation -- from wholesale interception of
8165 enemy communications by stations around the world, through large-scale
8166 code-breaking and analysis of the decrypted material (with an enormous
8167 set of files for cross-referencing), to delivery of intelligence to
8168 field commanders -- was huge, and very carefully managed. </LI>
8170 <P> So by the end of the war, Allied code-breakers were expert at
8171 large-scale mechanised code-breaking. The payoffs were enormous. </P>
8172 <H4><A name="postwar">Postwar and Cold War</A></H4>
8173 The wartime innovations were enthusiastically adopted by post-war and
8174 Cold War signals intelligence agencies. Presumably many nations now
8175 have some agency capable of sophisticated attacks on communications
8176 security, and quite a few engage in such activity on a large scale.
8177 <P> America's <A href="#NSA">NSA</A>, for example, is said to be both
8178 the world's largest employer of mathematicians and the world's largest
8179 purchaser of computer equipment. Such claims may be somewhat
8180 exaggerated, but beyond doubt the NSA -- and similar agencies in other
8181 countries -- have some excellent mathematicians, lots of powerful
8182 computers, sophisticated software, and the organisation and funding to
8183 apply them on a large scale. Details of the NSA budget are secret, but
8184 there are some published <A href="http://www.fas.org/irp/nsa/nsabudget.html">
8186 <P> Changes in the world's communications systems since WW II have
8187 provided these agencies with new targets. Cracking the codes used on an
8188 enemy's military or diplomatic communications has been common practice
8189 for centuries. Extensive use of radio in war made large-scale attacks
8190 such as Ultra possible. Modern communications make it possible to go
8191 far beyond that. Consider listening in on cell phones, or intercepting
8192 electronic mail, or tapping into the huge volumes of data on new media
8193 such as fiber optics or satellite links. None of these targets existed
8194 in 1950. All of them can be attacked today, and almost certainly are
8195 being attacked. </P>
8196 <P> The Ultra story was not made public until the 1970s. Much of the
8197 recent history of codes and code-breaking has not been made public, and
8198 some of it may never be. Two important books are: </P>
8200 <LI>Bamford's <A href="#puzzle">The Puzzle Palace</A>, a history of the
8202 <LI>Hager's <A href="http://www.fas.org/irp/eprint/sp/index.html">
8203 Secret Power</A>, about the <A href="http://sg.yahoo.com/government/intelligence/echelon_network/">
8204 Echelon</A> system -- the US, UK, Canada, Australia and New Zealand
8205 co-operating to monitor much of the world's communications. </LI>
8207 <P> Note that these books cover only part of what is actually going on,
8208 and then only the activities of nations open and democratic enough that
8209 (some of) what they are doing can be discovered. A full picture,
8212 <LI>actions of the English-speaking democracies not covered in those
8214 <LI>actions of other more-or-less sane governments </LI>
8215 <LI>the activities of various more-or-less insane governments </LI>
8216 <LI>possibilities for unauthorized action by government employees </LI>
8218 <P> might be really frightening. </P>
8219 <H4><A name="recent">Recent history -- the crypto wars</A></H4>
8220 Until quite recently, cryptography was primarily a concern of
8221 governments, especially of the military, of spies, and of diplomats.
8222 Much of it was extremely secret.
8223 <P> In recent years, that has changed a great deal. With computers and
8224 networking becoming ubiquitous, cryptography is now important to almost
8225 everyone. Among the developments since the 1970s: </P>
8227 <LI>The US gov't established the Data Encryption Standard, <A href="#DES">
8228 DES</A> standard, a <A href="#block">block cipher</A> for cryptographic
8229 protection of unclassfied documents. It has also been widely used in
8231 <LI><A href="#public">Public key</A> cryptography was invented by
8232 Diffie and Hellman. </LI>
8233 <LI>Academic conferences such as <A href="http://www-cse.ucsd.edu/users/mihir/crypto2k.html">
8234 Crypto</A> and <A href="http://www.esat.kuleuven.ac.be/cosic/eurocrypt2000/">
8235 Eurocrypt</A> began. </LI>
8236 <LI>Several companies began offerring cryptographic products: <A href="#RSAco">
8237 RSA</A>, <A href="#PGPI">PGP</A>, the many vendors with <A href="#PKI">
8238 PKI</A> products, ... </LI>
8239 <LI>Cryptography appeared in other products: operating systems, word
8240 processors, ... </LI>
8241 <LI>Network protocols based on crypto were developed: <A href="#SSH">
8242 SSH</A>, <A href="#SSL">SSL</A>, <A href="#IPSEC"> IPSEC</A>, ... </LI>
8243 <LI>Crytography came into widespread use to secure bank cards,
8244 terminals, ... </LI>
8245 <LI>The US government replaced <A href="#DES">DES</A> with the much
8246 stronger Advanced Encryption Standard, <A href="#AES">AES</A></LI>
8248 <P> This has led to a complex ongoing battle between various mainly
8249 government groups wanting to control the spread of crypto and various
8250 others, notably the computer industry and the "cypherpunk" crypto
8251 advocates, wanting to encourage widespread use. </P>
8252 <P> Steven Levy has written a fine history of much of this, called <A href="#crypto">
8253 Crypto: How the Code rebels Beat the Government -- Saving Privacy in
8254 the Digital Age</A>. </P>
8255 <P> The FreeS/WAN project is to a large extent an outgrowth of <A href="http://world.std.com/~franl/crypto/cypherpunks.html">
8256 cypherpunk</A> ideas. Our reasons for doing the project can be seen in
8257 these quotes from the <A href="http://www.eff.org/pub/Privacy/Crypto_misc/cypherpunk.manifesto">
8258 Cypherpunk Manifesto</A>: <BLOCKQUOTE> Privacy is necessary for an open
8259 society in the electronic age. ...
8260 <P> We cannot expect governments, corporations, or other large,
8261 faceless organizations to grant us privacy out of their beneficence.
8262 It is to their advantage to speak of us, and we should expect that
8263 they will speak. ... </P>
8264 <P> We must defend our own privacy if we expect to have any. ... </P>
8265 <P> Cypherpunks write code. We know that someone has to write software
8266 to defend privacy, and since we can't get privacy unless we all do,
8267 we're going to write it. We publish our code so that our fellow
8268 Cypherpunks may practice and play with it. Our code is free for all to
8269 use, worldwide. We don't much care if you don't approve of the
8270 software we write. We know that software can't be destroyed and that a
8271 widely dispersed system can't be shut down. </P>
8272 <P> Cypherpunks deplore regulations on cryptography, for encryption is
8273 fundamentally a private act. ... </P>
8274 <P> For privacy to be widespread it must be part of a social contract.
8275 People must come and together deploy these systems for the common good.
8277 </BLOCKQUOTE> To quote project leader John Gilmore: <BLOCKQUOTE> We are
8278 literally in a race between our ability to build and deploy
8279 technology, and their ability to build and deploy laws and treaties.
8280 Neither side is likely to back down or wise up until it has
8281 definitively lost the race. </BLOCKQUOTE></P>
8282 <P> If FreeS/WAN reaches its goal of making <A href="#opp.intro">
8283 opportunistic encryption</A> widespread so that secure communication
8284 can become the default for a large part of the net, we will have struck
8286 <H3><A name="intro.poli">Politics</A></H3>
8287 The political problem is that nearly all governments want to monitor
8288 their enemies' communications, and some want to monitor their citizens.
8289 They may be very interested in protecting some of their own
8290 communications, and often some types of business communication, but not
8291 in having everyone able to communicate securely. They therefore attempt
8292 to restrict availability of strong cryptography as much as possible.
8293 <P> Things various governments have tried or are trying include:</P>
8295 <LI>Echelon, a monitor-the-world project of the US, UK, NZ, Australian
8296 and Canadian <A href="#SIGINT">signals intelligence</A> agencies. See
8297 this <A href="http://sg.yahoo.com/government/intelligence/echelon_network/">
8298 collection</A> of links and this <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640682,00.html">
8299 story</A> on the French Parliament's reaction.</LI>
8300 <LI>Others governments may well have their own Echelon-like projects.
8301 To quote the Dutch Minister of Defense, as reported in a German <A href="http://www.heise.de/tp/english/inhalt/te/4729/1.html">
8302 magazine</A>: <BLOCKQUOTE> The government believes not only the
8303 governments associated with Echelon are able to intercept
8304 communication systems, but that it is an activity of the investigative
8305 authorities and intelligence services of many countries with
8306 governments of different political signature. </BLOCKQUOTE> Even if
8307 they have nothing on the scale of Echelon, most intelligence agencies
8308 and police forces certainly have some interception capability. </LI>
8309 <LI><A href="#NSA">NSA</A> tapping of submarine communication cables,
8310 described in <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2764372,00.html">
8311 this article</A></LI>
8312 <LI>A proposal for international co-operation on <A href="http://www.heise.de/tp/english/special/enfo/4306/1.html">
8313 Internet surveillance</A>.</LI>
8314 <LI>Alleged <A href="http://cryptome.org/nsa-sabotage.htm">sabotage</A>
8315 of security products by the <A href="#NSA">NSA</A> (the US signals
8316 intelligence agency).</LI>
8317 <LI>The German armed forces and some government departments will stop
8318 using American software for fear of NSA "back doors", according to
8319 this <A href="http://www.theregister.co.uk/content/4/17679.html">news
8321 <LI>The British Regulation of Investigatory Powers bill. See this <A href="http://www.fipr.org/rip/index.html">
8322 web page.</A> and perhaps this <A href="http://ars.userfriendly.org/cartoons/?id=20000806&mode=classic">
8324 <LI>A Russian <A href="http://www.eff.org/pub/Privacy/Foreign_and_local/Russia/russian_crypto_ban_english.edict">
8325 ban</A> on cryptography</LI>
8326 <LI>Chinese <A href="http://www.eff.org/pub/Misc/Publications/Declan_McCullagh/www/global/china">
8327 controls</A> on net use.</LI>
8328 <LI>The FBI's carnivore system for covert searches of email. See this <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2601502,00.html">
8329 news coverage</A> and this <A href="http://www.crypto.com/papers/carnivore-risks.html">
8330 risk assessment</A>. The government had an external review of some
8331 aspects of this system done. See this <A href="http://www.crypto.com/papers/carnivore_report_comments.html">
8332 analysis</A> of that review. Possible defenses against Carnivore
8335 <LI><A href="#PGP">PGP</A> for end-to-end mail encryption </LI>
8336 <LI><A href="http://www.home.aone.net.au/qualcomm/">secure sendmail</A>
8337 for server-to-server encryption </LI>
8338 <LI>IPSEC encryption on the underlying IP network </LI>
8341 <LI>export laws restricting strong cryptography as a munition. See <A href="#exlaw">
8342 discussion</A> below.</LI>
8343 <LI>various attempts to convince people that fundamentally flawed
8344 cryptography, such as encryption with a <A href="#escrow">back door</A>
8345 for government access to data or with <A href="#shortkeys">inadequate
8346 key lengths</A>, was adequate for their needs. </LI>
8348 <P> Of course governments are by no means the only threat to privacy
8349 and security on the net. Other threats include:</P>
8352 <LI>industrial espionage, as for example in this <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2626931,00.html">
8354 <LI>attacks by organised criminals, as in this <A href="http://www.sans.org/newlook/alerts/NTE-bank.htm">
8355 large-scale attack</A></LI>
8356 <LI>collection of personal data by various companies.
8358 <LI>for example, consider the various corporate winners of Privacy
8359 International's <A href="http://www.privacyinternational.org/bigbrother/">
8360 Big Brother Awards</A>.</LI>
8361 <LI><A href="http://www.zeroknowledge.com">Zero Knowledge</A> sell
8362 tools to defend against this</LI>
8365 <LI>individuals may also be a threat in a variety of ways and for a
8366 variety of reasons </LI>
8367 <LI>in particular, an individual with access to government or industry
8368 data collections could do considerable damage using that data in
8369 unauthorized ways. </LI>
8371 <P> One <A href="http://www.zdnet.com/zdnn/stories/news/0,4586,2640674,00.html">
8372 study</A> enumerates threats and possible responses for small and
8373 medium businesses. VPNs are a key part of the suggested strategy. </P>
8374 <P> We consider privacy a human right. Our objective is to help make
8375 privacy possible on the Internet using cryptography strong enough not
8376 even those well-funded government agencies are likely to break it. If
8377 we can do that, the chances of anyone else breaking it are negliible. </P>
8378 <H3><A NAME="11_1_3">Links</A></H3>
8379 Many groups are working in different ways to defend privacy on the net
8380 and elsewhere. Please consider contributing to one or more of these
8383 <LI>the EFF's <A href="http://www.eff.org/crypto/">Privacy Now!</A>
8385 <LI>the <A href="http://www.gilc.org">Global Internet Liberty Campaign</A>
8387 <LI><A href="http://www.cpsr.org/program/privacy/privacy.html">Computer
8388 Professionals for Social Responsibility</A></LI>
8390 <P> For more on these issues see: </P>
8392 <LI>Steven Levy (Newsweek's chief technology writer and author of the
8393 classic "Hackers") new book <A href="#crypto"> Crypto: How the Code
8394 Rebels Beat the Government--Saving Privacy in the Digital Age</A></LI>
8395 <LI>Simson Garfinkel (Boston Globe columnist and author of books on <A href="#PGP">
8396 PGP</A> and <A href="#practical"> Unix Security</A>) book <A href="#Garfinkel">
8397 Database Nation: the death of privacy in the 21st century</A></LI>
8398 <LI>an <A href="http://www.immaterial.net/page.php3?id=44">interview</A>
8399 with Eblen Morgan (general counsel to the <A href="">Free Software
8400 Foundation</A> and a professor at Columbia Law School) on the
8401 "encryption wars". </LI>
8403 <P> See also the <A href="biblio.html">bibliography</A> and our list of <A
8404 href="#policy">web references</A> on cryptography law and policy.</P>
8405 <H3><A NAME="11_1_4">Outline of this section</A></H3>
8406 <P> The remainder of this section includes two pieces of writing by our
8409 <LI>his <A href="#gilmore">rationale</A> for starting this</LI>
8410 <LI>another <A href="#policestate">discussion</A> of project goals</LI>
8412 <P>and discussions of:</P>
8414 <LI><A href="#desnotsecure">why we do not use DES</A></LI>
8415 <LI><A href="#exlaw">cryptography export laws</A></LI>
8416 <LI>why <A href="#escrow">government access to keys</A> is not a good
8418 <LI>the myth that <A href="#shortkeys">short keys</A> are adequate for
8419 some security requirements</LI>
8421 <P> and a section on <A href="#press">press coverage of FreeS/WAN</A>.</P>
8422 <H2><A name="leader">From our project leader</A></H2>
8423 <P> FreeS/WAN project founder John Gilmore wrote a web page about why
8424 we are doing this. The version below is slightly edited, to fit this
8425 format and to update some links. For a version without these edits, see
8426 his <A href="http://www.toad.com/gnu/">home page</A>.</P>
8428 <H3><A name="gilmore">Swan: Securing the Internet against Wiretapping</A>
8431 <P>My project for 1996 was to <B>secure 5% of the Internet traffic
8432 against passive wiretapping</B>. It didn't happen in 1996, so I'm
8433 still working on it in 1997, 1998, and 1999! If we get 5% in 1999 or
8434 2000, we can secure 20% the next year, against both active and passive
8435 attacks; and 80% the following year. Soon the whole Internet will be
8436 private and secure. The project is called S/WAN or S/Wan or Swan for
8437 Secure Wide Area Network; since it's free software, we call it
8438 FreeSwan to distinguish it from various commercial implementations. <A href="http://www.rsa.com/rsa/SWAN/">
8439 RSA</A> came up with the term "S/WAN". Our main web site is at <A href="http://www.freeswan.org/">
8440 http://www.freeswan.org/</A>. Want to help?</P>
8441 <P>The idea is to deploy PC-based boxes that will sit between your
8442 local area network and the Internet (near your firewall or router)
8443 which opportunistically encrypt your Internet packets. Whenever you
8444 talk to a machine (like a Web site) that doesn't support encryption,
8445 your traffic goes out "in the clear" as usual. Whenever you connect
8446 to a machine that does support this kind of encryption, this box
8447 automatically encrypts all your packets, and decrypts the ones that
8448 come in. In effect, each packet gets put into an "envelope" on one
8449 side of the net, and removed from the envelope when it reaches its
8450 destination. This works for all kinds of Internet traffic, including
8451 Web access, Telnet, FTP, email, IRC, Usenet, etc.</P>
8452 <P>The encryption boxes are standard PC's that use freely available
8453 Linux software that you can download over the Internet or install from
8455 <P>This wasn't just my idea; lots of people have been working on it for
8456 years. The encryption protocols for these boxes are called <A href="#IPSEC">
8457 IPSEC (IP Security)</A>. They have been developed by the <A href="http://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html">
8458 IP Security Working Group</A> of the <A href="http://www.ietf.org/">
8459 Internet Engineering Task Force</A>, and will be a standard part of
8460 the next major version of the Internet protocols (<A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">
8461 IPv6</A>). For today's (IP version 4) Internet, they are an option.</P>
8462 <P>The <A href="http://www.iab.org/iab">Internet Architecture Board</A>
8463 and <A href="http://www.ietf.org/"> Internet Engineering Steering Group</A>
8464 have taken a <A href="iab-iesg.stmt">strong stand</A> that the
8465 Internet should use powerful encryption to provide security and
8466 privacy. I think these protocols are the best chance to do that,
8467 because they can be deployed very easily, without changing your
8468 hardware or software or retraining your users. They offer the best
8469 security we know how to build, using the Triple-DES, RSA, and
8470 Diffie-Hellman algorithms.</P>
8471 <P>This "opportunistic encryption box" offers the "fax effect". As
8472 each person installs one for their own use, it becomes more valuable
8473 for their neighbors to install one too, because there's one more
8474 person to use it with. The software automatically notices each newly
8475 installed box, and doesn't require a network administrator to
8476 reconfigure it. Instead of "virtual private networks" we have a "REAL
8477 private network"; we add privacy to the real network instead of
8478 layering a manually-maintained virtual network on top of an insecure
8480 <H4>Deployment of IPSEC</H4>
8481 <P>The US government would like to control the deployment of IP
8482 Security with its <A href="#exlaw">crypto export laws</A>. This isn't
8483 a problem for my effort, because the cryptographic work is happening
8484 outside the United States. A foreign philanthropist, and others, have
8485 donated the resources required to add these protocols to the Linux
8486 operating system. <A href="http://www.linux.org/">Linux</A> is a
8487 complete, freely available operating system for IBM PC's and several
8488 kinds of workstation, which is compatible with Unix. It was written
8489 by Linus Torvalds, and is still maintained by a talented team of
8490 expert programmers working all over the world and coordinating over
8491 the Internet. Linux is distributed under the <A href="#GPL">GNU Public
8492 License</A>, which gives everyone the right to copy it, improve it,
8493 give it to their friends, sell it commercially, or do just about
8494 anything else with it, without paying anyone for the privilege.</P>
8495 <P>Organizations that want to secure their network will be able to put
8496 two Ethernet cards into an IBM PC, install Linux on it from a $30
8497 CDROM or by downloading it over the net, and plug it in between their
8498 Ethernet and their Internet link or firewall. That's all they'll have
8499 to do to encrypt their Internet traffic everywhere outside their own
8500 local area network.</P>
8501 <P>Travelers will be able to run Linux on their laptops, to secure
8502 their connection back to their home network (and to everywhere else
8503 that they connect to, such as customer sites). Anyone who runs Linux
8504 on a standalone PC will also be able to secure their network
8505 connections, without changing their application software or how they
8506 operate their computer from day to day.</P>
8507 <P>There will also be numerous commercially available firewalls that
8508 use this technology. <A href="http://www.rsa.com/">RSA Data Security</A>
8509 is coordinating the <A href="http://www.rsa.com/rsa/SWAN">S/Wan
8510 (Secure Wide Area Network)</A> project among more than a dozen vendors
8511 who use these protocols. There's a <A href="http://www.rsa.com/rsa/SWAN/swan_test.htm">
8512 compatability chart</A> that shows which vendors have tested their
8513 boxes against which other vendors to guarantee interoperatility.</P>
8514 <P>Eventually it will also move into the operating systems and
8515 networking protocol stacks of major vendors. This will probably take
8516 longer, because those vendors will have to figure out what they want
8517 to do about the export controls.</P>
8518 <H4>Current status</H4>
8519 <P>My initial goal of securing 5% of the net by Christmas '96 was not
8520 met. It was an ambitious goal, and inspired me and others to work
8521 hard, but was ultimately too ambitious. The protocols were in an
8522 early stage of development, and needed a lot more protocol design
8523 before they could be implemented. As of April 1999, we have released
8524 version 1.0 of the software (<A href="ftp://ftp.xs4all.nl/freeswan/freeswan-1.0.tar.gz">
8525 freeswan-1.0.tar.gz</A>), which is suitable for setting up Virtual
8526 Private Networks using shared secrets for authentication. It does not
8527 yet do opportunistic encryption, or use DNSSEC for authentication;
8528 those features are coming in a future release.</P>
8531 <DD>The low-level encrypted packet formats are defined. The system for
8532 publishing keys and providing secure domain name service is defined.
8533 The IP Security working group has settled on an NSA-sponsored protocol
8534 for key agreement (called ISAKMP/Oakley), but it is still being worked
8535 on, as the protocol and its documentation is too complex and
8536 incomplete. There are prototype implementations of ISAKMP. The
8537 protocol is not yet defined to enable opportunistic encryption or the
8538 use of DNSSEC keys.</DD>
8539 <DT>Linux Implementation</DT>
8540 <DD>The Linux implementation has reached its first major release and is
8541 ready for production use in manually-configured networks, using Linux
8542 kernel version 2.0.36.</DD>
8543 <DT>Domain Name System Security</DT>
8544 <DD>There is now a release of BIND 8.2 that includes most DNS Security
8546 <P>The first prototype implementation of Domain Name System Security
8547 was funded by <A href="#DARPA">DARPA</A> as part of their <A href="http://www.darpa.mil/ito/research/is/index.html">
8548 Information Survivability program</A>. <A href="http://www.tis.com">
8549 Trusted Information Systems</A> wrote a modified version of <A href="http://www.isc.org/bind.html">
8550 BIND</A>, the widely-used Berkeley implementation of the Domain Name
8552 <P>TIS, ISC, and I merged the prototype into the standard version of
8553 BIND. The first production version that supports KEY and SIG records
8554 is <B>bind-4.9.5</B>. This or any later version of BIND will do for
8555 publishing keys. It is available from the <A href="http://www.isc.org/bind.html">
8556 Internet Software Consortium</A>. This version of BIND is not
8557 export-controlled since it does not contain any cryptography. Later
8558 releases starting with BIND 8.2 include cryptography for
8559 authenticating DNS records, which is also exportable. Better
8560 documentation is needed.</P>
8563 <P>Because I can. I have made enough money from several successful
8564 startup companies, that for a while I don't have to work to support
8565 myself. I spend my energies and money creating the kind of world that
8566 I'd like to live in and that I'd like my (future) kids to live in.
8567 Keeping and improving on the civil rights we have in the United
8568 States, as we move more of our lives into cyberspace, is a particular
8570 <H4>What You Can Do</H4>
8572 <DT>Install the latest BIND at your site.</DT>
8573 <DD>You won't be able to publish any keys for your domain, until you
8574 have upgraded your copy of BIND. The thing you really need from it is
8575 the new version of <I>named</I>, the Name Daemon, which knows about
8576 the new KEY and SIG record types. So, download it from the <A href="http://www.isc.org/bind.html">
8577 Internet Software Consortium </A> and install it on your name server
8578 machine (or get your system administrator, or Internet Service
8579 Provider, to install it). Both your primary DNS site and all of your
8580 secondary DNS sites will need the new release before you will be able
8581 to publish your keys. You can tell which sites this is by running the
8582 Unix command "dig MYDOMAIN ns" and seeing which sites are mentioned in
8583 your NS (name server) records.</DD>
8584 <DT>Set up a Linux system and run a 2.0.x kernel on it</DT>
8585 <DD>Get a machine running Linux (say the 5.2 release from <A href="http://www.redhat.com">
8586 Red Hat</A>). Give the machine two Ethernet cards.</DD>
8587 <DT>Install the Linux IPSEC (Freeswan) software</DT>
8588 <DD>If you're an experienced sysadmin or Linux hacker, install the
8589 freeswan-1.0 release, or any later release or snapshot. These releases
8590 do NOT provide automated "opportunistic" operation; they must be
8591 manually configured for each site you wish to encrypt with.</DD>
8592 <DT>Get on the linux-ipsec mailing list</DT>
8593 <DD>The discussion forum for people working on the project, and testing
8594 the code and documentation, is: linux-ipsec@clinet.fi. To join this
8595 mailing list, send email to <A href="mailto:linux-ipsec-REQUEST@clinet.fi">
8596 linux-ipsec-REQUEST@clinet.fi</A> containing a line of text that says
8597 "subscribe linux-ipsec". (You can later get off the mailing list the
8598 same way -- just send "unsubscribe linux-ipsec").</DD>
8600 <DT>Check back at this web page every once in a while</DT>
8601 <DD>I update this page periodically, and there may be new information
8602 in it that you haven't seen. My intent is to send email to the
8603 mailing list when I update the page in any significant way, so
8604 subscribing to the list is an alternative.</DD>
8606 <P>Would you like to help? I can use people who are willing to write
8607 documentation, install early releases for testing, write cryptographic
8608 code outside the United States, sell pre-packaged software or systems
8609 including this technology, and teach classes for network
8610 administrators who want to install this technology. To offer to help,
8611 send me email at gnu@toad.com. Tell me what country you live in and
8612 what your citizenship is (it matters due to the export control laws;
8613 personally I don't care). Include a copy of your resume and the URL
8614 of your home page. Describe what you'd like to do for the project,
8615 and what you're uniquely qualified for. Mention what other volunteer
8616 projects you've been involved in (and how they worked out). Helping
8617 out will require that you be able to commit to doing particular
8618 things, meet your commitments, and be responsive by email. Volunteer
8619 projects just don't work without those things.</P>
8620 <H4>Related projects</H4>
8622 <DT>IPSEC for NetBSD</DT>
8623 <DD>This prototype implementation of the IP Security protocols is for
8624 another free operating system. <A href="ftp://ftp.funet.fi/pub/unix/security/net/ip/BSDipsec.tar.gz">
8625 Download BSDipsec.tar.gz</A>.</DD>
8626 <DT>IPSEC for <A href="http://www.openbsd.org">OpenBSD</A></DT>
8627 <DD>This prototype implementation of the IP Security protocols is for
8628 yet another free operating system. It is directly integrated into the
8629 OS release, since the OS is maintained in Canada, which has freedom of
8630 speech in software.</DD>
8632 <H3><A name="policestate">Stopping wholesale monitoring</A></H3>
8633 <P>From a message project leader John Gilmore posted to the mailing
8638 > Indeed there are several ways in which the documentation overstates the
8639 > scope of what this project does -- starting with the name
8640 > FreeS/WAN. There's a big difference between having an encrypted IP tunnel
8641 > versus having a Secure Wide-Area Network. This software does a fine job of
8642 > the former, which is necessary but not sufficient for the latter.
8644 The goal of the project is to make it very hard to tap your wide area
8645 communications. The current system provides very good protection
8646 against passive attacks (wiretapping and those big antenna farms).
8647 Active attacks, which involve the intruder sending packets to your
8648 system (like packets that break into sendmail and give them a root
8649 shell :-) are much harder to guard against. Active attacks that
8650 involve sending people (breaking into your house and replacing parts
8651 of your computer with ones that transmit what you're doing) are also
8652 much harder to guard against. Though we are putting effort into
8653 protecting against active attacks, it's a much bigger job than merely
8654 providing strong encryption. It involves general computer security,
8655 and general physical security, which are two very expensive problems
8656 for even a site to solve, let alone to build into a whole society.
8658 The societal benefit of building an infrastructure that protects
8659 well against passive attacks is that it makes it much harder to do
8660 undetected bulk monitoring of the population. It's a defense against
8661 police-states, not against policemen.
8663 Policemen can put in the effort required to actively attack sites that
8664 they have strong suspicions about. But police states won't be able to
8665 build systems that automatically monitor everyone's communications.
8666 Either they will be able to monitor only a small subset of the
8667 populace (by targeting those who screwed up their passive security),
8668 or their monitoring activities will be detectable by those monitored
8669 (active attacks leave packet traces or footprints), which can then be
8670 addressed through the press and through political means if they become
8673 FreeS/WAN does not protect very well against traffic analysis, which
8674 is a kind of widespread police-state style monitoring that still
8675 reveals significant information (who's talking to who) without
8676 revealing the contents of what was said. Defenses against traffic
8677 analysis are an open research problem. Zero Knowledge Systems is
8678 actively deploying a system designed to thwart it, designed by Ian
8679 Goldberg. The jury is out on whether it actually works; a lot more
8680 experience with it will be needed.
8682 <P> Notes on things mentioned in that message: </P>
8684 <LI>Denker is a co-author of a <A href="#applied">paper</A> on a large
8685 FreeS/WAN application.</LI>
8686 <LI> Information on Zero Knowledge is on their <A href="http://www.zks.net/">
8687 web site</A>. Their Freedom product is designed to provide untracable
8688 pseudonyms for use on the net.</LI>
8689 <LI>Another section of our documentation discusses ways to <A href="#traffic.resist">
8690 resist traffic analysis</A>. </LI>
8692 <H2><A name="weak">Government promotion of weak crypto</A></H2>
8693 <P> Various groups, especially governments and especially the US
8694 government, have a long history of advocating various forms of bogus
8696 <P> We regard bogus security as extremely dangerous. If users are
8697 deceived into relying on bogus security, then they may be exposed to
8698 large risks. They would be better off having no security and knowing
8699 it. At least then they would be careful about what they said.</P>
8700 <P><STRONG> Avoiding bogus security is a key design criterion for
8701 everything we do in FreeS/WAN</STRONG>. The most conspicuous example is
8702 our refusal to support <A href="desnotsecure">single DES</A>. Other
8703 IPSEC "features" which we do not implement are discussed in our <A href="#dropped">
8704 compatibility</A> document.</P>
8705 <H3><A name="escrow">Escrowed encryption</A></H3>
8706 <P> Various governments have made persistent attempts to encourage or
8707 mandate "escrowed encrytion", also called "key recovery", or GAK for
8708 "government access to keys". The idea is that cryptographic keys be
8709 held by some third party and turned over to law enforcement or security
8710 agencies under some conditions.</P>
8712 Mary had cryptography
8713 Her keys were in escrow
8714 And everything that Mary said
8715 The feds were sure to know
8717 (If anyone knows the origin of that ditty, let <A href="mailto:sandy@storm.ca">
8718 let me know</A> so I can credit the author.)
8719 <P> There is an excellent paper available on <A href="http://www.cdt.org/crypto/risks98/">
8720 Risks of Escrowed Encryption</A>, from a group of cryptographic
8721 luminaries which included our project leader.</P>
8722 <P> Like any unnecessary complication, GAK tends to weaken security of
8723 any design it infects. For example: </P>
8725 <LI>Matt Blaze found a fatal flaw in the US government's Clipper chip
8726 shortly after design information became public. See his paper "Protocol
8727 Failure in the Escrowed Encryption Standard" on his <A href="http://www.crypto.com/papers/">
8728 papers</A> page.</LI>
8729 <LI>a rather <A href="http://www.pgp.com/other/advisories/adk.asp">
8730 nasty bug</A> has recently been found in the "additional decryption
8731 keys" "feature" of recent releases of <A href="#PGP">PGP</A></LI>
8733 <P> FreeS/WAN does not support escrowed encryption, and never will.</P>
8734 <H3><A name="shortkeys">Limited key lengths</A></H3>
8735 <P> Various governments, and some vendors, have also made persistent
8736 attempts to convince people that: </P>
8738 <LI>weak systems are sufficient for some data </LI>
8739 <LI>strong cryptography should be reserved for cases where the extra
8740 overheads are justified </LI>
8742 <STRONG> This is nonsense</STRONG>.
8743 <P> Weak systems touted include:</P>
8745 <LI>the ludicrously weak (deliberately crippled) 40-bit ciphers that
8746 until recently were all various <A href="#exlaw">export laws</A>
8748 <LI>56-bit single DES, discussed <A href="#desnotsecure">below</A></LI>
8749 <LI>64-bit symmetric ciphers and 512-bit RSA, the maximums for
8750 unrestricted export under various current laws</LI>
8752 <P> The notion that choice of ciphers or keysize should be determined
8753 by a trade-off between security requirements and overheads is pure
8756 <LI>For most <A href="#symmetric">symmetric ciphers</A>, it is simply a
8757 lie. Any block cipher has some natural maximum keysize inherent in the
8758 design -- 128 bits for <A href="#IDEA">IDEA</A> or <A href="#CAST128">
8759 CAST-128</A>, 256 for any of the <A href="#AES"> AES</A> ciphers, 448
8760 for <A href="#Blowfish">Blowfish</A> and 2048 for <A href="#RC4"> RC4</A>
8761 . Using any key size up to that natural limit the overheads are
8762 exactly what they would be for the crippled 40-bit or 64-bit version
8764 <LI>For the special case of <A href="#3DES">triple DES</A> there is a
8765 grain of truth in the argument. 3DES is indeed three times slower than
8766 single DES. Of course it is also fast enough for many applications. In
8767 cases where it isn't, the solution is not to use the insecure single
8768 DES, but to pick a faster secure cipher. <A href="#CAST128"> CAST-128</A>
8769 , <A href="#Blowfish"> Blowfish</A> and the <A href="#AES"> AES
8770 candidate</A> ciphers are are all considerably faster in software than
8771 DES (let alone 3DES), and apparently secure.</LI>
8772 <LI>For <A href="#public">public key</A> techniques, there are extra
8773 overheads for larger keys, but they generally do not affect overall
8774 performance significantly. Practical public key applications are
8775 usually <A href="#hybrid">hybrid</A> systems in which the bulk of the
8776 work is done by a symmetric cipher. The effect of increasing the cost
8777 of the public key operations is typically negligible because the
8778 public key operations use only a tiny fraction of total resources. </LI>
8779 <P> For example, suppose public key operations use use 1% of the time
8780 in a hybrid system and you triple the cost of public key operations.
8781 The cost of symmetric cipher operations is unchanged at 99% of the
8782 original total cost, so the overall effect is a jump from 99 + 1 = 100
8783 to 99 + 3 = 102, a 2% rise in system cost.</P>
8785 <P> In short, <STRONG>there has never been any technical reason to use
8786 inadequate ciphers</STRONG>. The only reason there has ever been for
8787 anyone to use such ciphers is that government agencies want weak
8788 ciphers used so that they can crack them. The alleged savings are
8789 simply propaganda.</P>
8790 <P> Of course, making systems secure does involve costs, and trade-offs
8791 can be made between cost and security. There can be substantial
8792 hardware and software costs. There are almost always substantial staff
8793 or contracting costs: </P>
8795 <LI>Security takes staff time for planning, implementation and
8796 auditing. Some of the issues are subtle; you need good (hence often
8797 expensive) people for this. </LI>
8798 <LI>You also need people to monitor your systems and respond to
8799 problems. The best safe ever built is insecure if an attacker can work
8800 on it for days without anyone noticing. Any computer is insecure if the
8801 administrator is "too busy" to check the logs. </LI>
8802 <LI>Moreover, someone in your organisation (or on contract to it) needs
8803 to spend considerable time keeping up with new developments.
8805 <LI>When some novel attack threatens some program you use, someone
8806 should notice. </LI>
8807 <LI>When the vendor provides a patch that fixes the vulnerability,
8808 someone should apply it. </LI>
8809 <P> For a fairly awful example, see this <A href="http://www.sans.org/newlook/alerts/NTE-bank.htm">
8810 report</A>. In that case over a million credit card numbers were taken
8811 from e-commerce sites, using security flaws in Windows NT servers.
8812 Microsoft had long since released patches for most or all of the flaws,
8813 but the site administrators had not applied them. </P>
8814 <LI>If the vendor does nothing, someone should do at least one of:
8816 <LI>raise hell with the vendor </LI>
8817 <LI> raise the question of changing vendors </LI>
8821 At an absolute minimum, you must do something about such issues <EM>
8822 before</EM> an exploitation tool is posted to the net for downloading
8823 by dozens of "script kiddies". Such a tool might appear at any time
8824 from the announcement of the security hole to several months later.
8825 Once it appears, anyone with a browser and an attitude can break any
8826 system whose administrators have done nothing about the flaw. </LI>
8827 <LI>There are often substantial training costs, both to train
8828 administrators and to increase user awareness of security issues and
8831 <P> Compared to those costs, cipher overheads are an insignificant
8832 factor in the cost of security. Note, however, that choosing an
8833 insecure cipher can cause all your other investment to be wasted.</P>
8834 <P> Our policy in FreeS/WAN is to use only cryptographic components
8835 with adequate keylength and no known weaknesses. </P>
8837 <LI>We do not implement single DES because it is clearly <A href="#desnotsecure">
8838 insecure</A>, so implemeting it would violate our policy of avoiding
8839 bogus security. Our default cipher is <A href="#3DES">3DES</A></LI>
8840 <LI> Similarly, we do not implement the 768-bit Group 1 for <A href="#DH">
8841 Diffie-Hellman</A> key negotiation. It is not clear that this is
8842 secure, so we provide only the 1024-bit Group 2 and 1536-bit Group 5.</LI>
8844 <P> These decisions imply that we cannot fully conform to the IPSEC
8845 RFCs, since those have DES as the only required cipher and Group 1 as
8846 the only required DH group. (In our view, the standards were subverted
8847 into offerring bogus security.) Fortunately, we can still interoperate
8848 with most other IPSEC implementations since nearly all implementers
8849 provide at least 3DES and Group 2 as well.</P>
8850 <P> We hope that eventually the RFCs will catch up with our (and
8851 others') current practice and reject dubious components. Some of our
8852 team and a number of others are working on this in <A href="#IETF">IETF</A>
8854 <H2><A name="exlaw">Cryptography Export Laws</A></H2>
8855 <P>Many nations restrict the export of cryptography and some restrict
8856 its use by their citizens or others within their borders.</P>
8857 <H3><A name="USlaw">US Law</A></H3>
8858 <P>US laws, as currently interpreted by the US government, forbid
8859 export of most cryptographic software from the US in machine-readable
8860 form without government permission. In general, the restrictions apply
8861 even if the software is widely-disseminated or public-domain and even
8862 if it came from outside the US originally. Cryptography is legally a
8863 munition and export is tightly controlled under the <A href="#EAR">EAR</A>
8864 Export Administration Regulations.</P>
8865 <P>If you are a US citizen, your brain is considered US territory no
8866 matter where it is physically located at the moment. The US believes
8867 that its laws apply to its citizens everywhere, not just within the
8868 US. Providing technical assistance or advice to foreign "munitions"
8869 projects is illegal. The US government has very little sense of humor
8870 about this issue and does not consider good intentions to be
8871 sufficient excuse. Beware.</P>
8872 <P>The <A href="http://www.bxa.doc.gov/Encryption/">official website</A>
8873 for these regulations is run by the Commerce Department's Bureau of
8874 Export Administration (BXA). Information on various challenges to them
8875 is indexed in the <A href="ftp://ftp.cygnus.com/pub/export/export.html">
8876 Cryptography Export Control Archives</A>. </P>
8877 <P> The <A href="http://www.eff.org/bernstein/">Bernstein case</A>
8878 challenges the export restrictions on Constitutional grounds. Code is
8879 speech so restrictions on export of code violate the First Amendment's
8880 free speech provisions. This argument has succeeded in two levels of
8881 court so far. It is quite likely to go on to the Supreme Court.</P>
8882 <P> The regulations were changed substantially in January 2000,
8883 apparently as a government attempt to get off the hook in the Bernstein
8884 case. It is now legal to export public domain source code for
8885 encryption, provided you notify the <A href="#BXA">BXA</A>. </P>
8886 <P> There are, however, still restrictions in force. See this <A href="">
8887 article</A>. Moreover, the regulations can still be changed again
8888 whenever the government chooses to do so. Short of a Supreme Court
8889 ruling (in the Berstein case or another) that overturns the regulations
8890 completely, the problem of export regulation is not likely to go away
8891 in the forseeable future. </P>
8892 <H4><A name="UScontrib">US contributions to FreeS/WAN</A></H4>
8893 <P>The FreeS/WAN project <STRONG>cannot accept software contributions, <EM>
8894 not even small bug fixes</EM>, from US citizens or residents</STRONG>.
8895 We want it to be absolutely clear that our distribution is not subject
8896 to US export law. Any contribution from an American might open that
8897 question to a debate we'd prefer to avoid. It might also put the
8898 contributor at serious legal risk.</P>
8899 <P>Of course Americans can still make valuable contributions (many
8900 already have) by reporting bugs, or otherwise contributing to
8901 discussions, on the project <A href="mail.html">mailing list</A>.
8902 Since the list is public, this is clearly constitutionally protected
8904 <P> Note, however, that the export laws restrict Americans from
8905 providing technical assistance to foreign "munitions" projects. The
8906 government might claim that private discussions or correspondence with
8907 FreeS/WAN developers were covered by this. It is not clear what the
8908 courts would do with such a claim, so we strongly encourage Americans
8909 to use the list rather than risk the complications.</P>
8910 <H3><A name="wrong">What's wrong with restrictions on cryptography</A></H3>
8911 <P>Some quotes from prominent cryptography experts:</P>
8912 <BLOCKQUOTE> The real aim of current policy is to ensure the continued
8913 effectiveness of US information warfare assets against individuals,
8914 businesses and governments in Europe and elsewhere.
8915 <BR><A href="http://www.cl.cam.ac.uk/users/rja14"> Ross Anderson,
8916 Cambridge University</A></BLOCKQUOTE><BLOCKQUOTE> If the government
8917 were honest about its motives, then the debate about crypto export
8918 policy would have ended years ago.
8919 <BR><A href="http://www.counterpane.com"> Bruce Schneier, Counterpane
8920 Systems</A></BLOCKQUOTE><BLOCKQUOTE> We should not be building
8921 surveillance technology into standards. Law enforcement was not
8922 supposed to be easy. Where it is easy, it's called a police state.
8923 <BR> Jeff Schiller of MIT, in a discussion of FBI demands for wiretap
8924 capability on the net, as quoted by <A href="http://www.wired.com/news/politics/0,1283,31895,00.html">
8925 Wired</A>.</BLOCKQUOTE>
8926 <P>The Internet Architecture Board (IAB) and the Internet Engineering
8927 Steering Group (IESG) made a <A href="iab-iesg.stmt">strong statement</A>
8928 in favour of worldwide access to strong cryptography. Essentially the
8929 same statement is in the appropriately numbered <A href="ftp://ftp.isi.edu/in-notes/rfc1984.txt">
8930 RFC 1984</A>. Two critical paragraphs are:</P>
8931 <BLOCKQUOTE> We believe that such policies are against the interests of
8932 consumers and the business community, are largely irrelevant to issues
8933 of military security, and provide only a marginal or illusory benefit
8934 to law enforcement agencies, as discussed below.
8935 <P>The IAB and IESG would like to encourage policies that allow ready
8936 access to uniform strong cryptographic technology for all Internet
8937 users in all countries.</P>
8939 <P>Our goal in the FreeS/WAN project is to build just such "strong
8940 cryptographic technology" and to distribute it "for all Internet users
8941 in all countries".</P>
8942 <P>More recently, the same two bodies (IESG and IAB) have issued <A href="ftp://ftp.isi.edu/in-notes/rfc2804.txt">
8943 RFC 2804</A> on why the IETF should not build wiretapping capabilities
8944 into protocols for the convenience of security or law enforcement
8946 <P>Our goal is to go beyond that and prevent Internet wiretapping
8948 <H3><A name="Wassenaar">The Wassenaar Arrangement</A></H3>
8949 <P>Restrictions on the export of cryptography are not just US policy,
8950 though some consider the US at least partly to blame for the policies
8951 of other nations in this area.</P>
8952 <P>A number of countries:</P>
8953 <P>Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech
8954 Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland,
8955 Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland,
8956 Portugal, Republic of Korea, Romania, Russian Federation, Slovak
8957 Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom
8958 and United States</P>
8959 <P>have signed the Wassenaar Arrangement which restricts export of
8960 munitions and other tools of war. Cryptographic sofware is covered
8962 <P>Wassenaar details are available from the <A href="http://www.wassenaar.org/">
8963 Wassenaar Secretariat</A>, and elsewhere in a more readable <A href="http://www.fitug.de/news/wa/index.html">
8964 HTML version</A>.</P>
8965 <P>For a critique see the <A href="http://www.gilc.org/crypto/wassenaar">
8967 <BLOCKQUOTE> The Global Internet Liberty Campaign (GILC) has begun a
8968 campaign calling for the removal of cryptography controls from the
8969 Wassenaar Arrangement.
8970 <P>The aim of the Wassenaar Arrangement is to prevent the build up of
8971 military capabilities that threaten regional and international
8972 security and stability . . .</P>
8973 <P>There is no sound basis within the Wassenaar Arrangement for the
8974 continuation of any export controls on cryptographic products.</P>
8976 <P>We agree entirely.</P>
8977 <P> An interesting analysis of Wassenaar can be found on the <A href="http://www.cyber-rights.org/crypto/wassenaar.htm">
8978 cyber-rights.org</A> site. </P>
8979 <H3><A name="status">Export status of Linux FreeS/WAN</A></H3>
8980 <P>We believe our software is entirely exempt from these controls since
8981 the Wassenaar <A href="http://www.wassenaar.org/list/GTN%20and%20GSN%20-%2099.pdf">
8982 General Software Note</A> says:</P>
8983 <BLOCKQUOTE> The Lists do not control "software" which is either:
8985 <LI>Generally available to the public by . . . retail . . . or</LI>
8986 <LI>"In the public domain".</LI>
8989 <P>There is a note restricting some of this, but it is a sub-heading
8990 under point 1, so it appears not to apply to public domain software.</P>
8991 <P>Their glossary defines "In the public domain" as:</P>
8992 <BLOCKQUOTE> . . . "technology" or "software" which has been made
8993 available without restrictions upon its further dissemination.
8994 <P>N.B. Copyright restrictions do not remove "technology" or "software"
8995 from being "in the public domain".</P>
8997 <P>We therefore believe that software freely distributed under the <A href="#GPL">
8998 GNU Public License</A>, such as Linux FreeS/WAN, is exempt from
8999 Wassenaar restrictions.</P>
9000 <P>Most of the development work is being done in Canada. Our
9001 understanding is that the Canadian government accepts this
9004 <LI>A web statement of <A href="http://www.dfait-maeci.gc.ca/~eicb/notices/ser113-e.htm">
9005 Canadian policy</A> is available from the Department of Foreign
9006 Affairs and International Trade.</LI>
9007 <LI>Another document from that department states that <A href="http://www.dfait-maeci.gc.ca/~eicb/export/gr1_e.htm">
9008 public domain software</A> is exempt from the export controls.</LI>
9009 <LI>A researcher's <A href="http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html">
9010 analysis</A> of Canadian policy is also available.</LI>
9012 <P>Recent copies of the freely modifiable and distributable source code
9013 exist in many countries. Citizens all over the world participate in
9014 its use and evolution, and guard its ongoing distribution. Even if
9015 Canadian policy were to change, the software would continue to evolve
9016 in countries which do not restrict exports, and would continue to be
9017 imported from there into unfree countries. "The Net culture treats
9018 censorship as damage, and routes around it."</P>
9019 <H3><A name="help">Help spread IPSEC around</A></H3>
9020 <P> You can help. If you don't know of a Linux FreeS/WAN archive in
9021 your own country, please download it now to your personal machine, and
9022 consider making it publicly accessible if that doesn't violate your own
9023 laws. If you have the resources, consider going one step further and
9024 setting up a mirror site for the whole <A href="#munitions">munitions</A>
9025 Linux crypto software archive.</P>
9026 <P>If you make Linux CD-ROMs, please consider including this code, in a
9027 way that violates no laws (in a free country, or in a domestic-only CD
9029 <P>Please send a note about any new archive mirror sites or CD
9030 distributions to linux-ipsec@clinet.fi so we can update the
9032 <P>Lists of current <A href="#sites">mirror sites</A> and of <A href="#distwith">
9033 distributions</A> which include FreeS/WAN are in our introduction
9035 <H2><A name="desnotsecure">DES is Not Secure</A></H2>
9036 <P>DES, the <STRONG>D</STRONG>ata <STRONG>E</STRONG>ncryption <STRONG> S</STRONG>
9037 tandard, can no longer be considered secure. While no major flaws in
9038 its innards are known, it is fundamentally inadequate because its <STRONG>
9039 56-bit key is too short</STRONG>. It is vulnerable to <A href="#brute">
9040 brute-force search</A> of the whole key space, either by large
9041 collections of general-purpose machines or even more quickly by
9042 specialized hardware. Of course this also applies to <STRONG>any other
9043 cipher with only a 56-bit key</STRONG>. The only reason anyone could
9044 have for using a 56 or 64-bit key is to comply with various <A href="exportlaw.html">
9045 export laws</A> intended to ensure the use of breakable ciphers.</P>
9046 <P>Non-government cryptologists have been saying DES's 56-bit key was
9047 too short for some time -- some of them were saying it in the 70's
9048 when DES became a standard -- but the US government has consistently
9049 ridiculed such suggestions.</P>
9050 <P>A group of well-known cryptographers looked at key lengths in a <A href="http://www.counterpane.com/keylength.html">
9051 1996 paper</A>. They suggested a <EM>minimum</EM> of 75 bits to
9052 consider an existing cipher secure and a <EM>minimum of 90 bits for
9053 new ciphers</EM>. More recent papers, covering both <A href="#symmetric">
9054 symmetric</A> and <A href="#public">public key</A> systems are at <A href="http://www.cryptosavvy.com/">
9055 cryptosavvy.com</A> and <A href="http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html">
9056 rsa.com</A>. For all algorithms, the minimum keylengths recommended in
9057 such papers are significantly longer than the maximums allowed by
9058 various export laws.</P>
9059 <P> In a <A href="http://www.thestandard.net/articles/display/0,1449,1780,00.html">
9060 1998 ruling</A>, a German court described DES as "out-of-date and not
9061 safe enough" and held a bank liable for using it.</P>
9062 <H3><A name="deshware">Dedicated hardware breaks DES in a few days</A></H3>
9063 <P>The question of DES security has now been settled once and for all.
9064 In early 1998, the <A href="http://www.eff.org/">Electronic Frontier
9065 Foundation</A> built a <A href="http://www.eff.org/descracker.html">
9066 DES-cracking machine</A>. It can find a DES key in an average of a few
9067 days' search. The details of all this, including complete code
9068 listings and complete plans for the machine, have been published in <A href="#EFF">
9069 <CITE>Cracking DES</CITE></A>, by the Electronic Frontier Foundation.</P>
9070 <P> That machine cost just over $200,000 to design and build. "Moore's
9071 Law" is that machines get faster (or cheaper, for the same speed) by
9072 roughly a factor of two every 18 months. At that rate, their $200,000
9073 in 1998 becomes $50,000 in 2001. </P>
9074 <P> However, Moore's Law is not exact and the $50,000 estimate does not
9075 allow for the fact that a copy based on the published EFF design would
9076 of course cost far less than the original. We cannot say exactly what
9077 such a cracker would cost today, but it would likely be somewhere
9078 between $10,000 and $100,000. </P>
9079 <P> A large corporation could build one of these out of petty cash. The
9080 cost is low enough for a senior manager to hide it in a departmental
9081 budget and avoid having to announce or justify the project. Any
9082 government agency, from a major municipal police force up, could afford
9083 one. Or any other group with a respectable budget -- criminal
9084 organisations, political groups, labour unions, religious groups, ...
9085 Or any millionaire with an obsession or a grudge, or just strange taste
9087 <P>One might wonder if a private security or detective agency would
9088 have one for rent. They wouldn't need many clients to pay off that
9090 <H3><A name="spooks">Spooks may break DES faster yet</A></H3>
9091 <P>As for the security and intelligence agencies of various nations,
9092 some of them may have had DES crackers for years. Possibly very fast
9093 ones! Cipher-cracking is one of the few known applications which is
9094 easy to speed up by just adding more processors and memory. Within
9095 very broad limits, you can make it as fast as you like if you have the
9096 budget. The EFF's $200,000 machine breaks DES in a few days. An <A href="http://www.planepage.com/">
9097 aviation website</A> gives the cost of a B1 bomber as $200,000,000.
9098 Spending that much, an intelligence agency could expect to break DES
9099 in an average time of <EM>six and a half minutes</EM>.</P>
9100 <P>That estimate assumes they use the EFF's 1998 technology and just
9101 spend more money. They may have an attack that is superior to brute
9102 force, they quite likely have better chip technology (Moore's law, a
9103 bigger budget, and whatever secret advances they may have made) and of
9104 course they may have spent the price of an aircraft carrier, not just
9106 <P>In short, we have <EM>no idea</EM> how quickly these organisations
9107 can break DES. Unless they're grossly incompetent, they can certainly
9108 do it more quickly than the users of the cipher would like, but beyond
9109 that we can't say. Pick any time unit between days and milliseconds.
9110 None of these is entirely unbelievable. More to the point, none of
9111 them is of any comfort if you don't want such organisations reading
9112 your communications.</P>
9113 <P>Note that this may be a concern even if nothing you do is a threat
9114 to anyone's national security. An intelligence agency might well
9115 consider it to be in their national interest for certain companies to
9116 do well. If you're competing against such companies in a world market
9117 and that agency can read your secrets, you have a serious problem. For
9118 example, see this <A href="http://www.msnbc.com/news/403435.asp?cp1=1">
9119 NBC story</A> or this <A href="http://cryptome.org/dp/Econ_Espionage.htm">
9120 analysis</A>. The US are the villains in those pieces, but there is no
9121 reason to imagine they are the only threat.</P>
9122 <P>One might wonder about technology the former Soviet Union and its
9123 allies developed for cracking DES during the Cold War. They must have
9124 tried; the cipher was an American standard and widely used. How well
9125 did they succeed? Is their technology now for sale or rent?</P>
9126 <H3><A name="desnet">Networks break DES in a few weeks</A></H3>
9127 <P>Before the definitive EFF effort, DES had been cracked several times
9128 by people using many machines. See this <A href="http://www.distributed.net/pressroom/DESII-1-PR.html">
9129 press release</A> for example.</P>
9130 <P>A major corporation, university, or government department could
9131 break DES by using spare cycles on their existing collection of
9132 computers, by dedicating a group of otherwise surplus machines to the
9133 problem, or by combining the two approaches. It might take them weeks
9134 or months, rather than the days required for the EFF machine, but they
9136 <P>What about someone working alone, without the resources of a large
9137 organisation? For them, cracking DES will not be easy, but it may be
9138 possible. A few thousand dollars buys a lot of surplus workstations. A
9139 pile of such machines will certainly heat your garage nicely and might
9140 break DES in a few months or years. Or enroll at a university and use
9141 their machines. Or use an employer's machines. Or crack security
9142 somewhere and steal the resources to crack a DES key. Or write a virus
9143 that steals small amounts of resources on many machines. Or . . .</P>
9144 <P>None of these approaches are easy or break DES really quickly, but
9145 an attacker only needs to find one that is feasible and breaks DES
9146 quickly enough to be dangerous. How much would you care to bet that
9147 this will be impossible if the attacker is clever and determined? How
9148 valuable is your data? Are you authorised to risk it on a dubious bet?</P>
9149 <H3><A name="no_des">We disable DES</A></H3>
9150 <P>In short, it is now absolutely clear that <STRONG>DES is not secure</STRONG>
9153 <LI>any <STRONG>well-funded opponent</STRONG></LI>
9154 <LI>any opponent (even a penniless one) with access (even stolen
9155 access) to <STRONG>enough general purpose computers</STRONG></LI>
9157 <P>That is why <STRONG>Linux FreeS/WAN disables all transforms which
9158 use plain DES</STRONG> for encryption.</P>
9159 <P>DES is in the source code, because we need DES to implement our
9160 default encryption transform, <A href="#3DES">Triple DES</A>. <STRONG>
9161 We urge you not to use single DES</STRONG>. We do not provide any easy
9162 way to enable it in FreeS/WAN, and our policy is to provide no
9163 assistance to anyone wanting to do so.</P>
9164 <H3><A name="40joke">40-bits is laughably weak</A></H3>
9165 <P>The same is true, in spades, of ciphers -- DES or others -- crippled
9166 by 40-bit keys, as many ciphers were required to be until recently
9167 under various <A href="#exlaw">export laws</A>. A brute force search
9168 of such a cipher's keyspace is 2<SUP>16</SUP> times faster than a
9169 similar search against DES. The EFF's machine can do a brute-force
9170 search of a 40-bit key space in <EM>seconds</EM>. One contest to crack
9171 a 40-bit cipher was won by a student <A href="http://catless.ncl.ac.uk/Risks/18.80.html#subj1">
9172 using a few hundred idle machines at his university</A>. It took only
9173 three and half hours.</P>
9174 <P>We do not, and will not, implement any 40-bit cipher.</P>
9175 <H3><A name="altdes">Triple DES is almost certainly secure</A></H3>
9176 <P><A href="#3DES">Triple DES</A>, usually abbreviated 3DES, applies
9177 DES three times, with three different keys. DES seems to be basically
9178 an excellent cipher design; it has withstood several decades of
9179 intensive analysis without any disastrous flaws being found. It's only
9180 major flaw is that the small keyspace allows brute force attacks to
9181 succeeed. Triple DES enlarges the key space to 168 bits, making
9182 brute-force search a ridiculous impossibility.</P>
9183 <P>3DES is currently the only block cipher implemented in FreeS/WAN.
9184 3DES is, unfortunately, about 1/3 the speed of DES, but modern CPUs
9185 still do it at quite respectable speeds. Some <A href="#benchmarks">
9186 speed measurements</A> for our code are available.</P>
9187 <H3><A name="aes.ipsec">AES in IPSEC</A></H3>
9188 <P> The <A href="#AES">AES</A> project has recently chosen a
9189 replacement for DES, a new standard cipher for use in non-classified US
9190 government work and in regulated industries such as banking. This
9191 cipher will almost certainly become widely used for many applications,
9192 including IPSEC, but perhaps not quickly.</P>
9193 <P> The winner, announced in October 2000 after several years of
9194 analysis and discussion, was the <A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">
9195 Rijndael</A> cipher from two Belgian designers. </P>
9196 <P> It is likely that many IPSEC implementations will add Rijndael
9197 support over the next few months or years. FreeS/WAN will almost
9198 certainly do so, but it is not high on the priority list. This might
9199 be an excellent project for a volunteer.</P>
9200 <H2><A name="press">Press coverage of Linux FreeS/WAN:</A></H2>
9201 <H3><A NAME="11_6_1">FreeS/WAN 1.0 press</A></H3>
9203 <LI><A href="http://www.wired.com/news/news/technology/story/19136.html">
9204 Wired</A> "Linux-Based Crypto Stops Snoops", James Glave April 15 1999</LI>
9205 <LI><A href="http://slashdot.org/articles/99/04/15/1851212.shtml">
9207 <LI><A href="http://dgl.com/itinfo/1999/it990415.html">DGL</A>, Damar
9208 Group Limited; looking at FreeS/WAN from a perspective of business
9210 <LI><A href="http://linuxtoday.com/stories/5010.html">Linux Today</A></LI>
9211 <LI><A href="http://www.tbtf.com/archive/1999-04-21.html#Tcep">TBTF</A>
9212 , Tasty Bits from the Technology Front</LI>
9213 <LI><A href="http://www.salonmagazine.com/tech/log/1999/04/16/encryption/index.html">
9214 Salon Magazine</A> "Free Encryption Takes a Big Step"</LI>
9216 <H3><A name="release">Press release for version 1.0</A></H3>
9218 Strong Internet Privacy Software Free for Linux Users Worldwide
9220 Toronto, ON, April 14, 1999 -
9222 The Linux FreeS/WAN project today released free software to protect
9223 the privacy of Internet communications using strong encryption codes.
9224 FreeS/WAN automatically encrypts data as it crosses the Internet, to
9225 prevent unauthorized people from receiving or modifying it. One
9226 ordinary PC per site runs this free software under Linux to become a
9227 secure gateway in a Virtual Private Network, without having to modify
9228 users' operating systems or application software. The project built
9229 and released the software outside the United States, avoiding US
9230 government regulations which prohibit good privacy protection.
9231 FreeS/WAN version 1.0 is available immediately for downloading at
9232 http://www.xs4all.nl/~freeswan/.
9234 "Today's FreeS/WAN release allows network administrators to build
9235 excellent secure gateways out of old PCs at no cost, or using a cheap
9236 new PC," said John Gilmore, the entrepreneur who instigated the
9237 project in 1996. "They can build operational experience with strong
9238 network encryption and protect their users' most important
9239 communications worldwide."
9241 "The software was written outside the United States, and we do not
9242 accept contributions from US citizens or residents, so that it can be
9243 freely published for use in every country," said Henry Spencer, who
9244 built the release in Toronto, Canada. "Similar products based in the
9245 US require hard-to-get government export licenses before they can be
9246 provided to non-US users, and can never be simply published on a Web
9247 site. Our product is freely available worldwide for immediate
9248 downloading, at no cost."
9250 FreeS/WAN provides privacy against both quiet eavesdropping (such as
9251 "packet sniffing") and active attempts to compromise communications
9252 (such as impersonating participating computers). Secure "tunnels" carry
9253 information safely across the Internet between locations such as a
9254 company's main office, distant sales offices, and roaming laptops. This
9255 protects the privacy and integrity of all information sent among those
9256 locations, including sensitive intra-company email, financial transactions
9257 such as mergers and acquisitions, business negotiations, personal medical
9258 records, privileged correspondence with lawyers, and information about
9259 crimes or civil rights violations. The software will be particularly
9260 useful to frequent wiretapping targets such as private companies competing
9261 with government-owned companies, civil rights groups and lawyers,
9262 opposition political parties, and dissidents.
9264 FreeS/WAN provides privacy for Internet packets using the proposed
9265 standard Internet Protocol Security (IPSEC) protocols. FreeS/WAN
9266 negotiates strong keys using Diffie-Hellman key agreement with 1024-bit
9267 keys, and encrypts each packet with 168-bit Triple-DES (3DES). A modern
9268 $500 PC can set up a tunnel in less than a second, and can encrypt
9269 6 megabits of packets per second, easily handling the whole available
9270 bandwidth at the vast majority of Internet sites. In preliminary testing,
9271 FreeS/WAN interoperated with 3DES IPSEC products from OpenBSD, PGP, SSH,
9272 Cisco, Raptor, and Xedia. Since FreeS/WAN is distributed as source code,
9273 its innards are open to review by outside experts and sophisticated users,
9274 reducing the chance of undetected bugs or hidden security compromises.
9276 The software has been in development for several years. It has been
9277 funded by several philanthropists interested in increased privacy on
9278 the Internet, including John Gilmore, co-founder of the Electronic
9279 Frontier Foundation, a leading online civil rights group.
9282 Hugh Daniel, +1 408 353 8124, hugh@toad.com
9283 Henry Spencer, +1 416 690 6561, henry@spsystems.net
9285 * FreeS/WAN derives its name from S/WAN, which is a trademark of RSA Data
9286 Security, Inc; used by permission.
9289 <H1><A name="ipsec.detail">The IPSEC protocols</A></H1>
9290 <P>This section provides details of the IPSEC protocols which FreeS/WAN
9292 <P>The basic idea of IPSEC is to provide security functions, <A href="#authentication">
9293 authentication</A> and <A href="#encryption">encryption</A>, at the IP
9294 (Internet Protocol) level. This requires a higher-level protocol (IKE)
9295 to set things up for the IP-level services (ESP and AH).</P>
9296 <P>Three protocols are used in an IPSEC implementation:</P>
9298 <DT>ESP, Encapsulating Security Payload</DT>
9299 <DD>Encrypts and/or authenticates data</DD>
9300 <DT>AH, Authentication Header</DT>
9301 <DD>Provides a packet authentication service</DD>
9302 <DT>IKE, Internet Key Exchange</DT>
9303 <DD>Negotiates connection parameters, including keys, for the other two</DD>
9305 <P> The term "IPSEC" is slightly ambiguous. In some contexts, it
9306 includes all three of the above but in other contexts it refers only
9308 <H2><A name="others">Applying IPSEC</A></H2>
9309 <P>Authentication and encryption functions for network data can, of
9310 course, be provided at other levels. Many security protocols work at
9311 levels above IP.</P>
9313 <LI><A href="#PGP">PGP</A> encrypts and authenticates mail messages</LI>
9314 <LI><A href="#SSH">SSH</A> authenticates remote logins and then
9315 encrypts the session</LI>
9316 <LI><A href="#SSL">SSL</A> or <A href="#TLS">TLS</A> provides security
9317 at the sockets layer, e.g. for secure web browsing</LI>
9319 <P> and so on. Other techniques work at levels below IP. For example,
9320 data on a communications circuit or an entire network can be encrypted
9321 by specialised hardware. This is common practice in high-security
9323 <H3><A name="advantages">Advantages of IPSEC</A></H3>
9324 <P>There are, however, advantages to doing it at the IP level instead
9325 of, or as well as, at other levels.</P>
9326 <P>IPSEC is the <STRONG>most general way to provide these services for
9327 the Internet</STRONG>.</P>
9329 <LI>Higher-level services protect a <EM>single protocol</EM>; for
9330 example PGP protects mail.</LI>
9331 <LI>Lower level services protect a <EM>single medium</EM>; for example
9332 a pair of encryption boxes on the ends of a line make wiretaps on that
9333 line useless unless the attacker is capable of breaking the
9336 <P> IPSEC, however, can protect <EM>any protocol</EM> running above IP
9337 and <EM> any medium</EM> which IP runs over. More to the point, it can
9338 protect a mixture of application protocols running over a complex
9339 combination of media. This is the normal situation for Internet
9340 communication; IPSEC is the only general solution. </P>
9341 <P>IPSEC can also provide some security services "in the background",
9342 with <STRONG> no visible impact on users</STRONG>. To use <A href="#PGP">
9343 PGP</A> encryption and signatures on mail, for example, the user must
9346 <LI>remember his or her passphrase,</LI>
9347 <LI>keep it secure</LI>
9348 <LI>follow procedures to validate correspondents' keys</LI>
9350 <P> These systems can be designed so that the burden on users is not
9351 onerous, but any system will place some requirements on users. No such
9352 system can hope to be secure if users are sloppy about meeting those
9353 requirements. The author has seen username and password stuck on
9354 terminals with post-it notes in an allegedly secure environment, for
9356 <H3><A name="limitations">Limitations of IPSEC</A></H3>
9357 <P>IPSEC is designed to secure IP links between machines. It does that
9358 well, but it is important to remember that there are many things it
9359 does not do. Some of the important limitations are:</P>
9361 <DT><A name="depends">IPSEC cannot be secure if your system isn't</A></DT>
9362 <DD>System security on IPSEC gateway machines is an essential
9363 requirement if IPSEC is to function as designed. No system can be
9364 trusted if the underlying machine has been subverted. See books on
9365 Unix security such as <A href="#practical">Garfinkel and Spafford</A>
9366 or our web references for <A href="#linsec">Linux security</A> or more
9367 general <A href="#compsec">computer security</A>. </DD>
9368 <P>Of course, there is another side to this. IPSEC can be a powerful
9369 tool for improving system and network security. For example, requiring
9370 packet authentication makes various spoofing attacks harder and IPSEC
9371 tunnels can be extremely useful for secure remote administration of
9373 <DT><A name="not-end-to-end">IPSEC is not end-to-end</A></DT>
9374 <DD>IPSEC cannot provide the same end-to-end security as systems
9375 working at higher levels. IPSEC encrypts an IP connection between two
9376 machines, which is quite a different thing than encrypting messages
9377 between users or between applications. </DD>
9378 <P>For example, if you need mail encrypted from the sender's desktop
9379 to the recipient's desktop and decryptable only by the recipient, use <A
9380 href="#PGP"> PGP</A> or another such system. IPSEC can encrypt any or
9381 all of the links involved -- between the two mail servers, or between
9382 either server and its clients. It could even be used to secure a
9383 direct IP link from the sender's desktop machine to the recipient's,
9384 cutting out any sort of network snoop. What it cannot ensure is
9385 end-to-end user-to-user security. If only IPSEC is used to secure
9386 mail, then anyone with appropriate privileges on any machine where
9387 that mail is stored (at either end or on any store-and-forward servers
9388 in the path) can read it.</P>
9389 <P>In another common setup, IPSEC encrypts packets at a security
9390 gateway machine as they leave the sender's site and decrypts them on
9391 arrival at the gateway to the recipient's site. This does not even
9392 come close to providing an end-to-end service. In particular, anyone
9393 with appropriate privileges on either site's LAN can intercept the
9394 message in unencrypted form.</P>
9395 <DT><A name="notpanacea">IPSEC cannot do everything</A></DT>
9396 <DD>IPSEC also cannot provide all the functions of systems working at
9397 higher levels of the protocol stack. If you need a document
9398 electronically signed by a particular person, then you need his or her <A
9399 href="#signature"> digital signature</A> and a <A href="#public">public
9400 key cryptosystem</A> to verify it with. </DD>
9401 <P>Note, however, that IPSEC authentication of the underlying
9402 communication can make various attacks on higher-level protocols more
9403 difficult. In particular, authentication prevents <A href="#middle">
9404 man-in-the-middle attacks</A>.</P>
9405 <DT><A name="no_user">IPSEC authenticates machines, not users</A></DT>
9406 <DD>IPSEC uses strong authentication mechanisms to control which
9407 messages go to which machines, but it does not have the concept of
9408 user ID, which is vital to many other security mechansims and
9409 policies. This means some care must be taken in fitting the various
9410 security mechansims on a network together. For example, if you need to
9411 control which users access your database server, you need some
9412 non-IPSEC mechansim for that. IPSEC can control which machines connect
9413 to the server, and can ensure that data transfer to those machines is
9414 done securely, but that is all. Either the machines themselves must
9415 control user access or there must be some form of user authentication
9416 to the database, independent of IPSEC.</DD>
9417 <DT><A name="DoS">IPSEC does not stop denial of service attacks</A></DT>
9418 <DD><A href="#DoS">Denial of service</A> attacks aim at causing a
9419 system to crash, overload, or become confused so that legitimate users
9420 cannot get whatever services the system is supposed to provide. These
9421 are quite different from attacks in which the attacker seeks either to
9422 use the service himself or to subvert the service into delivering
9423 incorrect results. </DD>
9424 <P>IPSEC shifts the ground for DoS attacks; the attacks possible
9425 against systems using IPSEC are different than those that might be
9426 used against other systems. It does not, however, eliminate the
9427 possibility of such attacks.</P>
9428 <DT><A name="traffic">IPSEC does not stop traffic analysis</A></DT>
9429 <DD><A href="#traffic">Traffic analysis</A> is the attempt to derive
9430 intelligence from messages without regard for their contents. In the
9431 case of IPSEC, it would mean analysis based on things visible in the
9432 unencrypted headers of encrypted packets -- source and destination
9433 gateway addresses, packet size, et cetera. Given the resources to
9434 acquire such data and some skill in analysing it (both of which any
9435 national intelligence agency should have), this can be a very powerful
9437 <P>IPSEC is not designed to defend against this. Partial defenses are
9438 certainly possible, and some are <A href="#traffic.resist">described
9439 below</A>, but it is not clear that any complete defense can be
9442 <H3><A name="uses">IPSEC is a general mechanism for securing IP</A></H3>
9443 <P>While IPSEC does not provide all functions of a mail encryption
9444 package, it can encrypt your mail. In particular, it can ensure that
9445 all mail passing between a pair or a group of sites is encrypted. An
9446 attacker looking only at external traffic, without access to anything
9447 on or behind the IPSEC gateway, cannot read your mail. He or she is
9448 stymied by IPSEC just as he or she would be by <A href="#PGP">PGP</A>.</P>
9449 <P>The advantage is that IPSEC can provide the same protection for <STRONG>
9450 anything transmitted over IP</STRONG>. In a corporate network example,
9451 PGP lets the branch offices exchange secure mail with head office. SSL
9452 and SSH allow them to securely view web pages, connect as terminals to
9453 machines, and so on. IPSEC can support all those applications, plus
9454 database queries, file sharing (NFS or Windows), other protocols
9455 encapsulated in IP (Netware, Appletalk, ...), phone-over-IP,
9456 video-over-IP, ... anything-over-IP. The only limitation is that IP
9457 Multicast is not yet supported, though there are Internet Draft
9458 documents for that.</P>
9459 <P>IPSEC creates <STRONG>secure tunnels through untrusted networks</STRONG>
9460 . Sites connected by these tunnels form VPNs, <A href="#vpn">Virtual
9461 Private Networks</A>.</P>
9462 <P>IPSEC gateways can be installed wherever they are required.</P>
9464 <LI>One organisation might choose to install IPSEC only on firewalls
9465 between their LANs and the Internet. This would allow them to create a
9466 VPN linking several offices. It would provide protection against
9467 anyone outside their sites.</LI>
9468 <LI>Another might install IPSEC on departmental servers so everything
9469 on the corporate backbone net was encrypted. This would protect
9470 messages on that net from everyone except the sending and receiving
9472 <LI>Another might be less concerned with information secrecy and more
9473 with controlling access to certain resources. They might use IPSEC
9474 packet authentication as part of an access control mechanism, with or
9475 without also using the IPSEC encryption service.</LI>
9476 <LI>It is even possible (assuming adequate processing power and an
9477 IPSEC implementation in each node) to make every machine its own IPSEC
9478 gateway so that everything on a LAN is encrypted. This protects
9479 information from everyone outside the sending and receiving machine.</LI>
9480 <LI>These techniques can be combined in various ways. One might, for
9481 example, require authentication everywhere on a network while using
9482 encryption only for a few links.</LI>
9484 <P> Which of these, or of the many other possible variants, to use is
9485 up to you. <STRONG> IPSEC provides mechanisms; you provide the policy</STRONG>
9487 <P><STRONG>No end user action is required</STRONG> for IPSEC security
9488 to be used; they don't even have to know about it. The site
9489 administrators, of course, do have to know about it and to put some
9490 effort into making it work. Poor administration can compromise IPSEC
9491 as badly as the post-it notes mentioned above. It seems reasonable,
9492 though, for organisations to hope their system administrators are
9493 generally both more security-conscious than end users and more able to
9494 follow computer security procedures. If not, at least there are fewer
9495 of them to educate or replace.</P>
9496 <P>IPSEC can be, and often should be, used with along with security
9497 protocols at other levels. If two sites communicate with each other
9498 via the Internet, then IPSEC is the obvious way to protect that
9499 communication. If two others have a direct link between them, either
9500 link encryption or IPSEC would make sense. Choose one or use both.
9501 Whatever you use at and below the IP level, use other things as
9502 required above that level. Whatever you use above the IP level,
9503 consider what can be done with IPSEC to make attacks on the higher
9504 levels harder. For example, <A href="#middle">man-in-the-middle attacks</A>
9505 on various protocols become difficult if authentication at packet
9506 level is in use on the potential victims' communication channel.</P>
9507 <H3><A name="authonly">Using authentication without encryption</A></H3>
9508 <P> Where appropriate, IPSEC can provide authentication without
9509 encryption. One might do this, for example:</P>
9511 <LI>where the data is public but one wants to be sure of getting the
9512 right data, for example on some web sites</LI>
9513 <LI>where encryption is judged unnecessary, for example on some company
9514 or department LANs</LI>
9515 <LI>where strong encryption is provided at link level, below IP</LI>
9516 <LI>where strong encryption is provided in other protocols, above IP
9517 <BR> Note that IPSEC authentication may make some attacks on those
9518 protocols harder.</LI>
9520 <P> Authentication has lower overheads than encryption. </P>
9521 <P> The protocols provide four ways to build such connections, using
9522 either an AH-only connection or ESP using null encryption, and in
9523 either manually or automatically keyed mode. FreeS/WAN supports only
9524 one of these, manually keyed AH-only connections, and <STRONG>we do not
9525 recommend using that</STRONG>. Our reasons are discussed under <A href="#traffic.resist">
9526 Resisting traffic analysis</A> a few sections further along. </P>
9527 <H3><A name="encnoauth">Encryption without authentication is dangerous</A>
9529 <P>Originally, the IPSEC encryption protocol <A href="#ESP">ESP</A>
9530 didn't do integrity checking. It only did encryption. Steve Bellovin
9531 found many ways to attack ESP used without authentication. See his
9532 paper <A href="http://www.research.att.com/~smb/papers/badesp.ps">
9533 Problem areas for the IP Security Protocols</A>. To make a secure
9534 connection, you had to add an <A href="#AH">AH</A> Authentication
9535 Header as well as ESP. Rather than incur the overhead of several
9536 layers (and rather than provide an ESP layer that didn't actually
9537 protect the traffic), the IPSEC working group built integrity and
9538 replay checking directly into ESP.</P>
9539 <P>Today, typical usage is one of:</P>
9541 <LI>ESP for encryption and authentication</LI>
9542 <LI>AH for authentication alone</LI>
9544 <P> Other variants are allowed by the standard, but not much used:</P>
9546 <DT>ESP encryption without authentication</DT>
9547 <DD><STRONG>Bellovin has demonstrated fatal flaws in this. Do not use.</STRONG>
9549 <DT>ESP encryption with AH authentication</DT>
9550 <DD>This has higher overheads than using the authentication in ESP, and
9551 no obvious benefit in most cases. The exception might be a network
9552 where AH authentication was widely or universally used. If you're
9553 going to do AH to conform with network policy, why authenticate again
9554 in the ESP layer?</DD>
9555 <DT>Authenticate twice, with AH and with ESP</DT>
9556 <DD>Why? Of course, some folk consider "belt and suspenders" the
9557 sensible approach to security. If you're among them, you might use
9558 both protocols here. You might also use both to satisfy different
9559 parts of a security policy. For example, an organisation might require
9560 AH authentication everywhere but two users within the organisation
9561 might use ESP as well.</DD>
9562 <DT>ESP authentication without encryption</DT>
9563 <DD>The standard allows this, calling it "null encryption". FreeS/WAN
9564 does not support it. We recommend that you use AH instead if
9565 authentication is all you require. AH authenticates parts of the IP
9566 header, which ESP-null does not do.</DD>
9568 Some of these variants cannot be used with FreeS/WAN because we do not
9569 support ESP-null and do not support automatic keying of AH-only
9571 <P> There are fairly frequent suggestions that AH be dropped entirely
9572 from the IPSEC specifications since ESP and null encryption can handle
9573 that situation. It is not clear whether this will occur. My guess is
9574 that it is unlikely.</P>
9575 <H3><A name="multilayer">Multiple layers of IPSEC processing are
9577 <P>The above describes combinations possible on a single IPSEC
9578 connection. In a complex network you may have several layers of IPSEC
9579 in play, with any of the above combinations at each layer.</P>
9580 <P>For example, a connection from a desktop machine to a database
9581 server might require AH authentication. Working with other host,
9582 network and database security measures, AH might be just the thing for
9583 access control. You might decide not to use ESP encryption on such
9584 packets, since it uses resources and might complicate network
9585 debugging. Within the site where the server is, then, only AH would be
9586 used on those packets.</P>
9587 <P>Users at another office, however, might have their whole connection
9588 (AH headers and all) passing over an IPSEC tunnel connecting their
9589 office to the one with the database server. Such a tunnel should use
9590 ESP encryption and authentication. You need authentication in this
9591 layer because without authentication the encryption is vulnerable and
9592 the gateway cannot verify the AH authentication. The AH is between
9593 client and database server; the gateways aren't party to it.</P>
9594 <P>In this situation, some packets would get multiple layers of IPSEC
9595 applied to them, AH on an end-to-end client-to-server basis and ESP
9596 from one office's security gateway to the other.</P>
9597 <H3><A name="traffic.resist">Resisting traffic analysis</A></H3>
9598 <P><A href="#traffic"> Traffic analysis</A> is the attempt to derive
9599 useful intelligence from encrypted traffic without breaking the
9601 <P> Is your CEO exchanging email with a venture capital firm? With
9602 bankruptcy trustees? With an executive recruiting agency? With the
9603 holder of some important patents? If an eavesdropper learns that, he
9604 has interesting intelligence on your company, whether or not he can
9605 read the messages themselves. </P>
9606 <P> Except in the simplest cases, traffic analysis is hard to do well.
9607 It requires both considerable resources and considerable analytic
9608 skill. However, intelligence agencies of various nations have been
9609 doing it for centuries and many of them are likely quite good at it by
9610 now. Various commercial organisations, especially those working on
9611 "targeted marketing" may also be quite good at analysing certain types
9613 <P> In general, defending against traffic analysis is also difficult.
9614 Inventing a really good defense could get you a PhD and some
9615 interesting job offers. </P>
9616 <P> IPSEC is not designed to stop traffic analysis and we know of no
9617 plausible method of extending it to do so. That said, there are ways to
9618 make traffic analysis harder. This section describes them. </P>
9619 <H4><A name="extra">Using "unnecessary" encryption</A></H4>
9620 <P> One might choose to use encryption even where it appears
9621 unnecessary in order to make analysis more difficult. Consider two
9622 offices which pass a small volume of business data between them using
9623 IPSEC and also transfer large volumes of Usenet news. At first glance,
9624 it would seem silly to encrypt the newsfeed, except possibly for any
9625 newsgroups that are internal to the company. Why encrypt data that is
9626 all publicly available from many sites?</P>
9627 <P> However, if we encrypt a lot of news and send it down the same
9628 connection as our business data, we make <A href="#traffic">traffic
9629 analysis</A> much harder. A snoop cannot now make inferences based on
9630 patterns in the volume, direction, sizes, sender, destination, or
9631 timing of our business messages. Those messages are hidden in a mass of
9632 news messages encapsulated in the same way.</P>
9633 <P> If we're going to do this we need to ensure that keys change often
9634 enough to remain secure even with high volumes and with the adversary
9635 able to get plaintext of much of the data. We also need to look at
9636 other attacks this might open up. For example, can the adversary use a
9637 chosen plaintext attack, deliberately posting news articles which, when
9638 we receive and encrypt them, will help break our encryption? Or can he
9639 block our business data transmission by flooding us with silly news
9640 articles? Or ...</P>
9641 <P> Also, note that this does not provide complete protection against
9642 traffic analysis. A clever adversary might still deduce useful
9643 intelligence from statistical analysis (perhaps comparing the input
9644 newsfeed to encrypted output, or comparing the streams we send to
9645 different branch offices), or by looking for small packets which might
9646 indicate establishment of TCP connections, or ...</P>
9647 <P> As a general rule, though, one can improve resistance to traffic
9648 analysis by encrypting <EM>as much traffic as possible</EM> rather than
9649 only as much as seems necessary.</P>
9650 <P> This also applies to using multiple layers of encryption. If you
9651 have an IPSEC tunnel between two branch offices, it might appear silly
9652 to send PGP-encrypted email through that tunnel. However, if you
9653 suspect someone is snooping your traffic, then it does make sense: </P>
9655 <LI>it protects the mail headers; they cannot even see who is mailing
9657 <LI>it protects against user bungles or software malfunctions that
9658 accidentally send messages in the clear </LI>
9659 <LI>it makes any attack on the mail encryption much harder; first they
9660 have to find the mail </LI>
9662 Similar arguments apply for SSL-encrypted web traffic or SSH-encrypted
9663 remote login sessions, even for end-to-end IPSEC tunnels between
9664 systems in the two offices.
9665 <H4><A name="fewer">Using fewer tunnels</A></H4>
9666 <P> It may also help to use fewer tunnels. For example, if all you
9667 actually need encrypted is connections between: </P>
9669 <LI>mail servers at branch and head offices </LI>
9670 <LI>a few branch office users and the head office database server </LI>
9672 <P> You might build one tunnel per mail server and one per remote
9673 database user, restricting traffic to those applications. This gives
9674 the traffic analyst some information, however. He or she can
9675 distinguish the tunnels by looking at information in the ESP header
9676 and, given that distinction and the patterns of tunnel usage, might be
9677 able to figure out something useful. Perhaps not, but why take the
9679 <P> We suggest instead that you build one tunnel per branch office,
9680 encrypting everything passing from head office to branches. This has a
9681 number of advantages: </P>
9683 <LI>it is easier to build and administer </LI>
9684 <LI>it resists traffic analysis somewhat better </LI>
9685 <LI>it provides security for whatever you forgot. For example, if some
9686 user at a remote office browses proprietary company data on some head
9687 office web page (that the security people may not even know about!),
9688 then that data is encrypted before it reaches the Internet. </LI>
9690 <P> Of course you might also want to add additional tunnels. For
9691 example, if some of the database data is confidential and should not be
9692 exposed even within the company, then you need protection from the
9693 user's desktop to the database server. We suggest you do that in
9694 whatever way seems appropriate -- IPSEC, SSH or SSL might fit -- but,
9695 whatever you choose, pass it between locations via a gateway-to-gateway
9696 IPSEC tunnel to provide some resistance to traffic analysis. </P>
9697 <H2><A name="primitives">Cryptographic components</A></H2>
9698 <P> IPSEC combines a number of cryptographic techniques, all of them
9699 well-known and well-analyzed. The overall design approach was
9700 conservative; no new or poorly-understood components were included.</P>
9701 <P>This section gives a brief overview of each technique. It is
9702 intended only as an introduction. There is more information, and links
9703 to related topics, in our <A href="glossary.html">glossary</A>. See
9704 also our <A href="biblio.html">bibliography</A> and cryptography <A href="#crypto.link">
9706 <H3><A name="block.cipher">Block ciphers</A></H3>
9707 <P> The <A href="#encryption">encryption</A> in the <A href="#ESP">ESP</A>
9708 encapsulation protocol is done with a <A href="#block">block cipher</A>
9710 <P> We do not implement <A href="#DES">single DES</A>. It is <A href="#desnotsecure">
9711 insecure</A>. Our default, and currently only, block cipher is <A href="#3DES">
9713 <P> The Rijndael block cipher has just won the <A href="#AES">AES</A>
9714 competition to choose a relacement for DES. It will almost certainly
9715 be added to FreeS/WAN and to other IPSEC implementations.</P>
9716 <H3><A name="hash.ipsec">Hash functions</A></H3>
9717 <H4><A name="hmac.ipsec">The HMAC construct</A></H4>
9718 <P> IPSEC packet authentication is done with the HMAC construct. This
9719 is not just a hash of the packet data, but a more complex operation
9720 which uses both a hashing algorithm (MD5 or SHA) and a key. It
9721 therefore does more than a simple hash would. A simple hash would only
9722 tell you that the packet data was not changed in transit, or that
9723 whoever changed it also regenerated the hash. An HMAC also tells you
9724 that the sender knew the HMAC key.</P>
9725 <P> For IPSEC HMAC, the output of the hash algorithm is truncated to 96
9726 bits. This saves some space in the packets. More important, it prevents
9727 an attacker from seeing all the hash output bits and perhaps creating
9728 some sort of attack based on that knowledge.</P>
9729 <H3><A name="DH.keying">Diffie-Hellman key agreement</A></H3>
9730 <P> The <A href="#DH">Diffie-Hellman</A> key agreement protocol allows
9731 two parties (A and B or <A href="#alicebob">Alice and Bob</A>) to agree
9732 on a key in such a way that an eavesdropper who intercepts the entire
9733 conversation cannot learn the key.</P>
9734 <P> The protocol is based on the <A href="#dlog">discrete logarithm</A>
9735 problem and is therefore thought to be secure. Mathematicians have
9736 been working on that problem for years and seem no closer to a
9737 solution, though there is no proof that an efficient solution is
9739 <H3><A name="RSA.auth">RSA authentication</A></H3>
9740 <P> The <A href="#RSA">RSA</A> algorithm (named for its inventors --
9741 Rivest, Shamir and Adleman) is a very widely used <A href="#">public key</A>
9742 cryptographic technique. It is used in IPSEC as one method of
9743 authenticating gateways for Diffie-Hellman key negotiation.</P>
9744 <H2><A name="structure">Structure of IPSEC</A></H2>
9745 <P>There are three protocols used in an IPSEC implementation:</P>
9747 <DT>ESP, Encapsulating Security Payload</DT>
9748 <DD>Encrypts and/or authenticates data</DD>
9749 <DT>AH, Authentication Header</DT>
9750 <DD>Provides a packet authentication service</DD>
9751 <DT>IKE, Internet Key Exchange</DT>
9752 <DD>Negotiates connection parameters, including keys, for the other two</DD>
9754 <P> The term "IPSEC" is slightly ambiguous. In some contexts, it
9755 includes all three of the above but in other contexts it refers only to
9757 <H3><A name="IKE.ipsec">IKE (Internet Key Exchange)</A></H3>
9758 <P>The IKE protocol sets up IPSEC (ESP or AH) connections after
9759 negotiating appropriate parameters (algorithms to be used, keys,
9760 connection lifetimes) for them. This is done by exchanging packets on
9761 UDP port 500 between the two gateways.</P>
9762 <P>IKE (RFC 2409) was the outcome of a long, complex process in which
9763 quite a number of protocols were proposed and debated. Oversimplifying
9764 mildly, IKE combines:</P>
9766 <DT>ISAKMP (RFC 2408)</DT>
9767 <DD>The <STRONG>I</STRONG>nternet <STRONG>S</STRONG>ecurity <STRONG> A</STRONG>
9768 ssociation and <STRONG>K</STRONG>ey <STRONG> M</STRONG>anagement <STRONG>
9769 P</STRONG>rotocol manages negotiation of connections and defines <A href="#SA">
9770 SA</A>s (Security Associations) as a means of describing connection
9772 <DT>IPSEC DOI for ISAKMP (RFC 2407)</DT>
9773 <DD>A <STRONG>D</STRONG>omain <STRONG>O</STRONG>f <STRONG> I</STRONG>
9774 nterpretation fills in the details necessary to turn the rather
9775 abstract ISAKMP protocol into a more tightly specified protocol, so it
9776 becomes applicable in a particular domain.</DD>
9777 <DT>Oakley key determination protocol (RFC 2412)</DT>
9778 <DD>Oakley creates keys using the <A href="#DH">Diffie-Hellman</A> key
9779 agreement protocol.</DD>
9781 <P> For all the details, you would need to read the four <A href="rfc.html">
9782 RFCs</A> just mentioned (over 200 pages) and a number of others. We
9783 give a summary below, but it is far from complete.</P>
9784 <H4><A name="phases">Phases of IKE</A></H4>
9785 <P>IKE negotiations have two phases.</P>
9788 <DD>The two gateways negotiate and set up a two-way ISAKMP SA which
9789 they can then use to handle phase two negotiations. One such SA
9790 between a pair of gateways can handle negotiations for multiple
9793 <DD>Using the ISAKMP SA, the gateways negotiate IPSEC (ESP and/or AH)
9794 SAs as required. IPSEC SAs are unidirectional (a different key is used
9795 in each direction) and are always negotiated in pairs to handle
9796 two-way traffic. There may be more than one pair defined between two
9799 Both of these phases use the UDP protocol and port 500 for their
9801 <P> After both IKE phases are complete, you have IPSEC SAs to carry
9802 your encrypted data. These use the ESP or AH protocols. These
9803 protocols do not have ports; ports apply only to UDP or TCP. </P>
9804 <P> The IKE protocol is designed to be extremely flexible. Among the
9805 things that can be negotiated (separately for each SA) are:</P>
9807 <LI>SA lifetime before rekeying</LI>
9808 <LI>encryption algorithm used. We currently support only <A href="#3DES">
9809 triple DES</A>. Single DES is <A href="#desnotsecure"> insecure</A>.
9810 The RFCs say you MUST do DES, SHOULD do 3DES and MAY do various
9811 others. We do not do any of the others.</LI>
9812 <LI>authentication algorithms. We support <A href="#MD5">MD5</A> and <A href="#SHA">
9813 SHA</A>. These are the two the RFCs require.</LI>
9814 <LI>choice of group for <A href="#DH">Diffie-Hellman</A> key agreement.
9815 We currently support Groups 2 and 5 (which are defined modulo primes
9816 of various lengths) and do not support Group 1 (defined modulo a
9817 shorter prime, and therefore cryptographically weak) or groups 3 and
9818 4 (defined using elliptic curves). The RFCs require only Group 1.</LI>
9820 <P> The protocol also allows implementations to add their own
9821 encryption algorithms, authentication algorithms or Diffie-Hellman
9822 groups. We do not support any such extensions.</P>
9823 <P>There are a number of complications:</P>
9825 <LI>The gateways must be able to authenticate each other's identities
9826 before they can create a secure connection. This host authentication
9827 is part of phase one negotiations, and is a required prerequisite for
9828 packet authentication used later. Host authentication can be done in
9829 a variety of ways. Those supported by FreeS/WAN are discussed in our <A href="#choose">
9830 configuration</A> document.</LI>
9831 <LI>Phase one can be done in two ways.
9833 <LI>Main Mode is required by the RFCs and supported in FreeS/WAN.</LI>
9834 <LI>Aggressive Mode is somewhat faster but reveals more to an
9835 eavesdropper. This is optional in the RFCs, not currently supported
9836 by FreeS/WAN, and not likely to be.</LI>
9839 <LI>Phase two always uses Quick Mode, but there are two variants of
9842 <LI>One variant provides <A href="#PFS">Perfect Forward Secrecy (PFS)</A>
9843 . An attacker that obtains your long-term host authentication key does
9844 not immediately get any of your short-term packet encryption of packet
9845 authentication keys. He must conduct another successful attack each
9846 time you rekey to get the short-term keys. Having some short-term keys
9847 does not help him learn others. In particular, breaking your system
9848 today does not let him read messages he archived yestarday, assuming
9849 you've changed short-term keys in the meanwhile. We enable PFS as the
9851 <LI>The other variant disables PFS and is therefore slightly faster.
9852 We do not recommend this since it is less secure, but FreeS/WAN does
9853 support it. You can enable it with a <VAR>pfs=no</VAR> statement in <A href="manpage.d/ipsec.conf.5.html">
9854 ipsec.conf(5)</A>.</LI>
9857 <LI>Several types of notification message may be sent by either side
9858 during either phase, or later. FreeS/WAN does not currently support
9859 these, but they are a likely addition in future releases.</LI>
9860 <LI>A new group exchange may take place after phase one but before
9861 phase two, defining up an additional group for use in the <A href="#DH">
9862 Diffie-Hellman</A> key agreement part of phase two. FreeS/WAN does not
9863 currently support this.</LI>
9864 <LI>There is a commit flag which may optionally be set on some
9865 messages. The <A href="http://www.lounge.org/ike_doi_errata.html">
9866 errata</A> page for the RFCs includes two changes related to this, one
9867 to clarify the description of its use and one to block a <A href="#DoS">
9868 denial of service</A> attack which uses it. We currently do not
9869 implement this feature.</LI>
9871 <P> These complications can of course lead to problems, particularly
9872 when two different implementations attempt to interoperate. For
9873 example, we have seen problems such as: </P>
9875 <LI>Some implememtations (often products crippled by <A href="#exlaw">
9876 export laws</A>) have the insecure DES algorithm as their only
9877 supported encryption method. See our <A href="#desnotsecure">DES
9878 insecurity</A> comments for the reasons we do not implement single
9879 DES, and our <A href="#noDES">FAQ</A> for a discussion of how to cope
9880 with crippled products.</LI>
9881 <LI>Windows 2000 IPSEC tries to negotiate with FreeS/WAN using
9882 Aggressive Mode, which we don't support. Later on, it uses the commit
9883 bit, which we also don't support.</LI>
9884 <LI>FreeS/WAN's interaction with PGPnet is complicated by their use of
9885 notification messages we do not yet support.</LI>
9887 <P> Despite this, we do interoperate successfully with many
9888 implementations, including both Windows 2000 and PGPnet. Details are in
9889 our <A href="interop.html">interoperability</A> document. </P>
9890 <H4><A name="struct.exchange">Structure of IKE messages</A></H4>
9891 <P>Here is our Pluto developer explaining some of this on the mailing
9894 When one IKE system (for example, Pluto) is negotiating with another
9895 to create an SA, the Initiator proposes a bunch of choices and the
9896 Responder replies with one that it has selected.
9898 The structure of the choices is fairly complicated. An SA payload
9899 contains a list of lists of "Proposals". The outer list is a set of
9900 choices: the selection must be from one element of this list.
9902 Each of these elements is a list of Proposals. A selection must be
9903 made from each of the elements of the inner list. In other words,
9904 *all* of them apply (that is how, for example, both AH and ESP can
9907 Within each of these Proposals is a list of Transforms. For each
9908 Proposal selected, one Transform must be selected (in other words,
9909 each Proposal provides a choice of Transforms).
9911 Each Transform is made up of a list of Attributes describing, well,
9912 attributes. Such as lifetime of the SA. Such as algorithm to be
9913 used. All the Attributes apply to a Transform.
9915 You will have noticed a pattern here: layers alternate between being
9916 disjunctions ("or") and conjunctions ("and").
9918 For Phase 1 / Main Mode (negotiating an ISAKMP SA), this structure is
9919 cut back. There must be exactly one Proposal. So this degenerates to
9920 a list of Transforms, one of which must be chosen.
9922 <H3><A name="services">IPSEC Services, AH and ESP</A></H3>
9923 <P> IPSEC offers two services, <A href="#authentication">authentication</A>
9924 and <A href="#encryption">encryption</A>. These can be used separately
9925 but are often used together.</P>
9927 <DT>Authentication</DT>
9928 <DD>Packet-level authentication allows you to be confident that a
9929 packet came from a particular machine and that its contents were not
9930 altered en route to you. No attempt is made to conceal or protect the
9931 contents, only to assure their integrity. </DD>
9932 <P>Packet authentication can be provided separately using an <A href="#AH">
9933 Authentication Header</A>, described just below, or it can be included
9934 as part of the <A href="#ESP">ESP</A> (Encapsulated Security Payload)
9935 service, described in the following section. That service offers
9936 encryption as well as authentication.</P>
9938 <DD>Encryption allows you to conceal the contents of a message from
9939 eavesdroppers. </DD>
9940 <P>In IPSEC this is done using a <A href="#block">block cipher</A>
9941 (normally <A href="#3DES">Triple DES</A> for Linux). In the most used
9942 setup, keys are automatically negotiated, and periodically
9943 re-negotiated, using the <A href="#IKE">IKE</A> (Internet Key Exchange)
9944 protocol. In Linux FreeS/WAN this is handled by the Pluto Daemon.</P>
9945 <P>The IPSEC protocol offering encryption is <A href="#ESP">ESP</A>,
9946 Encapsulated Security Payload. It can also include a packet
9947 authentication service.</P>
9949 <P> Note that <STRONG>encryption should always be used with some packet
9950 authentication service</STRONG>. Unauthenticated encryption is
9951 vulnerable to <A href="#middle"> man-in-the-middle attacks</A>. Also
9952 note that encryption does not necessarily prevent <A href="#traffic">
9953 traffic analysis</A>.</P>
9954 <H3><A name="AH.ipsec">The Authentication Header (AH)</A></H3>
9955 <P>Packet authentication can be provided separately from encryption by
9956 adding an authentication header (AH) after the IP header but before
9957 the other headers on the packet. This is the subject of this section.
9958 Details are in RFC 2402.</P>
9959 <P>Each of the several headers on a packet header contains a "next
9960 protocol" field telling the system what header to look for next. IP
9961 headers generally have either TCP or UDP in this field. When IPSEC
9962 authentication is used, the packet IP header has AH in this field,
9963 saying that an Authentication Header comes next. The AH header then
9964 has the next header type -- usually TCP, UDP or encapsulated IP.</P>
9965 <P>IPSEC packet authentication can be added in transport mode, as a
9966 modification of standard IP transport. This is shown in this diagram
9968 <PRE> BEFORE APPLYING AH
9969 ----------------------------
9970 IPv4 |orig IP hdr | | |
9971 |(any options)| TCP | Data |
9972 ----------------------------
9975 ---------------------------------
9976 IPv4 |orig IP hdr | | | |
9977 |(any options)| AH | TCP | Data |
9978 ---------------------------------
9980 except for mutable fields</PRE>
9981 <P>Athentication can also be used in tunnel mode, encapsulating the
9982 underlying IP packet beneath AH and an additional IP header.</P>
9984 IPv4 | new IP hdr* | | orig IP hdr* | | |
9985 |(any options)| AH | (any options) |TCP | Data |
9986 ------------------------------------------------
9988 | in the new IP hdr |</PRE>
9989 <P>This would normally be used in a gateway-to-gateway tunnel. The
9990 receiving gateway then strips the outer IP header and the AH header
9991 and forwards the inner IP packet.</P>
9992 <P>The mutable fields referred to are things like the time-to-live
9993 field in the IP header. These cannot be included in authentication
9994 calculations because they change as the packet travels.</P>
9995 <H4><A name="keyed">Keyed MD5 and Keyed SHA</A></H4>
9996 <P> The actual authentication data in the header is typically 96 bits
9997 and depends both on a secret shared between sender and receiver and on
9998 every byte of the data being authenticated.</P>
9999 <P> The algorithms involved are the <A href="#MD5">MD5</A> Message
10000 Digest Algorithm or <A href="#SHA">SHA</A>, the Secure Hash Algorithm.
10001 For details on their use in this application, see RFCs 2403 and 2404
10003 <P>For descriptions of the algorithms themselves, see RFC 1321 for MD5
10004 and <A href="#FIPS"> FIPS</A> (Federal Information Processing Standard)
10005 number 186 from <A href="#NIST">NIST</A>, the US National Institute of
10006 Standards and Technology for SHA. <A href="#schneier"><CITE>Applied
10007 Cryptography</CITE></A> covers both in some detail, MD5 starting on
10008 page 436 and SHA on 442.</P>
10009 <P>These algorithms are intended to make it nearly impossible for
10010 anyone to alter the authenticated data in transit. The sender
10011 calculates a digest or hash value from that data and includes the
10012 result in the authentication header. The recipient does the same
10013 calculation and compares results. For unchanged data, the results will
10014 be identical. The hash algorithms are designed to make it extremely
10015 difficult to change the data in any way and still get the correct hash.</P>
10016 <P>Since the shared secret key is also used in both calculations, an
10017 interceptor cannot simply alter the authenticated data and change the
10018 hash value to match. Without the key, he or she (or even the dreaded
10019 They) cannot produce a usable hash.</P>
10020 <H4><A name="sequence">Sequence numbers</A></H4>
10021 <P>The authentication header includes a sequence number field which the
10022 sender is required to increment for each packet. The receiver can
10023 ignore it or use it to check that packets are indeed arriving in the
10024 expected sequence.</P>
10025 <P>This provides partial protection against <A href="#replay">replay
10026 attacks</A> in which an attacker resends intercepted packets in an
10027 effort to confuse or subvert the receiver. Complete protection is not
10028 possible since it is necessary to handle legitmate packets which are
10029 lost, duplicated, or delivered out of order, but use of sequence
10030 numbers makes the attack much more difficult.</P>
10031 <P>The RFCs require that sequence numbers never cycle, that a new key
10032 always be negotiated before the sequence number reaches 2^32-1. This
10033 protects both against replays attacks using packets from a previous
10034 cyclce and against <A href="#birthday">birthday attacks</A> on the the
10035 packet authentication algorithm.</P>
10036 <P>In Linux FreeS/WAN, the sequence number is ignored for manually
10037 keyed connections and checked for automatically keyed ones. In
10038 automatic mode, we do that. In manual mode, there is no way to
10039 negotiate a new key, or to recover from a sequence number problem, so
10040 we don't use sequence numbers.</P>
10041 <H3><A name="ESP.ipsec">Encapsulated Security Payload (ESP)</A></H3>
10042 <P>The ESP protocol is defined in RFC 2406. It provides one or both of
10043 encryption and packet authentication. It may be used with or without
10044 AH packet authentication.</P>
10045 <P>Note that <STRONG>some form of packet authentication should <EM>
10046 always</EM> be used whenever data is encrypted</STRONG>. Without
10047 authentication, the encryption is vulnerable to active attacks which
10048 may allow an enemy to break the encryption. ESP should <STRONG>always</STRONG>
10049 either include its own authentication or be used with AH
10050 authentication.</P>
10051 <P>The RFCs require support for only two mandatory encryption
10052 algorithms -- <A href="#DES"> DES</A>, and null encryption -- and for
10053 two authentication methods -- keyed MD5 and keyed SHA. Implementers
10054 may choose to support additional algorithms in either category.</P>
10055 <P>The authentication algorithms are the same ones used in the IPSEC <A href="#AH">
10056 authentication header</A>.</P>
10057 <P> We do not implement single DES since <A href="#desnotsecure">DES is
10058 insecure</A>. Instead we provide <A href="#3DES">triple DES or 3DES</A>
10059 . This is currently the only encryption algorithm supported.</P>
10060 <P> We do not implement null encryption since it is obviously insecure.</P>
10061 <H2><A name="modes">IPSEC modes</A></H2>
10062 <P>IPSEC can connect in two modes. Transport mode is a host-to-host
10063 connection involving only two machines. In tunnel mode, the IPSEC
10064 machines act as gateways and trafiic for any number of client machines
10065 may be carried.</P>
10066 <H3><A name="tunnel.ipsec">Tunnel mode</A></H3>
10067 <P>Security gateways are required to support tunnel mode connections.
10068 In this mode the gateways provide tunnels for use by client machines
10069 behind the gateways. The client machines need not do any IPSEC
10070 processing; all they have to do is route things to gateways.</P>
10071 <H3><A name="transport.ipsec">Transport mode</A></H3>
10072 <P>Host machines (as opposed to security gateways) with IPSEC
10073 implementations must also support transport mode. In this mode, the
10074 host does its own IPSEC processing and routes some packets via IPSEC.</P>
10075 <H2><A name="parts">FreeS/WAN parts</A></H2>
10076 <H3><A name="KLIPS.ipsec">KLIPS: Kernel IPSEC Support</A></H3>
10077 <P>KLIPS is <STRONG>K</STRONG>erne<STRONG>L</STRONG><STRONG> IP</STRONG>
10078 SEC <STRONG> S</STRONG>upport, the modifications necessary to support
10079 IPSEC within the Linux kernel. KILPS does all the actual IPSEC
10080 packet-handling, including</P>
10082 <LI>encryption</LI>
10083 <LI>packet authentication calculations</LI>
10084 <LI>creation of ESP and AH headers for outgoing packets</LI>
10085 <LI>interpretation of those headers on incoming packets</LI>
10087 <P>KLIPS also checks all non-IPSEC packets to ensure they are not
10088 bypassing IPSEC security policies.</P>
10089 <H3><A name="Pluto.ipsec">The Pluto daemon</A></H3>
10090 <P><A href="manpage.d/ipsec_pluto.8.html">Pluto(8)</A> is a daemon
10091 which implements the IKE protocol. It</P>
10093 <LI>handles all the Phase one ISAKMP SAs</LI>
10094 <LI>performs host authentication and negotiates with other gateways</LI>
10095 <LI>creates IPSEC SAs and passes the data required to run them to KLIPS</LI>
10096 <LI>adjust routing and firewall setup to meet IPSEC requirements. See
10097 our <A href="firewall.html"> IPSEC and firewalling</A> document for
10100 Pluto is controlled mainly by the <A href="manpage.d/ipsec.conf.5.html">
10101 ipsec.conf(5)</A> configuration file.
10102 <H3><A name="command">The ipsec(8) command</A></H3>
10103 <P>The ipsec(8) command is a front end that allows control over IPSEC
10105 <H3><A name="ipsec.conf">Linux FreeS/WAN configuration file</A></H3>
10106 <P>The configuration file for Linux FreeS/WAN is</P>
10110 For details see the <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>
10111 manual page and our <A href="config.html">Configuration</A> section.
10112 <H2><A name="key">Key management</A></H2>
10113 <P>There are several ways IPSEC can manage keys. Not all are
10114 implemented in Linux FreeS/WAN.</P>
10115 <H3><A name="current">Currently Implemented Methods</A></H3>
10116 <H4><A name="manual">Manual keying</A></H4>
10117 <P>IPSEC allows keys to be manually set. In Linux FreeS/WAN, such keys
10118 are stored with the connection definitions in /etc/ipsec.conf.</P>
10119 <P><A href="#manual">Manual keying</A> is useful for debugging since it
10120 allows you to test the <A href="#KLIPS">KLIPS</A> kernel IPSEC code
10121 without the <A href="#Pluto">Pluto</A> daemon doing key negotiation.</P>
10122 <P>In general, however, automatic keying is preferred because it is
10124 <H4><A name="auto">Automatic keying</A></H4>
10125 <P>In automatic keying, the <A href="#Pluto">Pluto</A> daemon
10126 negotiates keys using the <A href="#IKE">IKE</A> Internet Key Exchange
10127 protocol. Connections are automatically re-keyed periodically.</P>
10128 <P>This is considerably more secure than manual keying. In either case
10129 an attacker who acquires a key can read every message encrypted with
10130 that key, but automatic keys can be changed every few hours or even
10131 every few minutes without breaking the connection or requiring
10132 intervention by the system administrators. Manual keys can only be
10133 changed manually; you need to shut down the connection and have the
10134 two admins make changes. Moreover, they have to communicate the new
10135 keys securely, perhaps with <A href="#PGP">PGP</A> or <A href="#SSH">SSH</A>
10136 . This may be possible in some cases, but as a general solution it is
10137 expensive, bothersome and unreliable. Far better to let <A href="#Pluto">
10138 Pluto</A> handle these chores; no doubt the administrators have enough
10140 <P>Also, automatic keying is inherently more secure against an attacker
10141 who manages to subvert your gateway system. If manual keying is in use
10142 and an adversary acquires root privilege on your gateway, he reads
10143 your keys from /etc/ipsec.conf and then reads all messages encrypted
10144 with those keys.</P>
10145 <P>If automatic keying is used, an adversary with the same privileges
10146 can read /etc/ipsec.secrets, but this does not contain any keys, only
10147 the secrets used to authenticate key exchanges. Having an adversary
10148 able to authenticate your key exchanges need not worry you overmuch.
10149 Just having the secrets does not give him any keys. You are still
10150 secure against <A href="#passive">passive</A> attacks. This property of
10151 automatic keying is called <A href="#PFS">perfect forward secrecy</A>,
10152 abbreviated PFS.</P>
10153 <P>Unfortunately, having the secrets does allow an <A href="#active">
10154 active attack</A>, specifically a <A href="#middle">man-in-the-middle</A>
10155 attack. Losing these secrets to an attacker may not be quite as
10156 disastrous as losing the actual keys, but it is <EM>still a serious
10157 security breach</EM>. These secrets should be guarded as carefully as
10159 <H3><A name="notyet">Methods not yet implemented</A></H3>
10160 <H4><A name="noauth">Unauthenticated key exchange</A></H4>
10161 <P>It would be possible to exchange keys without authenticating the
10162 players. This would support <A href="#carpediem"> opportunistic
10163 encryption</A> -- allowing any two systems to encrypt their
10164 communications without requiring a shared PKI or a previously
10165 negotiated secret -- and would be secure against <A href="#passive">
10166 passive attacks</A>. It would, however, be highly vulnerable to active <A
10167 href="#middle">man-in-the-middle</A> attacks. RFC 2408 therefore
10168 specifies that all <A href="#ISAKMP">ISAKMP</A> key management
10169 interactions <EM>must</EM> be authenticated. </P>
10170 <P>There is room for debate here. Should we provide immediate security
10171 against <A href="#passive">passive attacks</A> and encourage
10172 widespread use of encryption, at the expense of risking the more
10173 difficult <A href="#active">active attacks</A>? Or should we wait until
10174 we can implement a solution that can both be widespread and offer
10175 security against active attacks?</P>
10176 <P>So far, we have chosen the second course, complying with the RFCs
10177 and waiting for secure DNS (see <A href="#DNS">below</A>) so that we
10178 can do <A href="#carpediem">opportunistic encryption</A> right.</P>
10179 <H4><A name="DNS">Key exchange using DNS</A></H4>
10180 <P>The IPSEC RFCs allow key exchange based on authentication services
10181 provided by <A href="#SDNS">Secure DNS</A>. Once Secure DNS service
10182 becomes widely available, we expect to make this the <EM>primary key
10183 management method for Linux FreeS/WAN</EM>. It is the best way we know
10184 of to support <A href="#carpediem">opportunistic encryption</A>,
10185 allowing two systems without a common PKI or previous negotiation to
10186 secure their communication.</P>
10187 <P>As of FreeS/WAN 1.4, we have experimental code to acquire RSA keys
10188 from DNS but do not yet have code to validate Secure DNS signatures.</P>
10189 <H4><A name="PKI">Key exchange using a PKI</A></H4>
10190 <P>The IPSEC RFCs allow key exchange based on authentication services
10191 provided by a <A href="#PKI">PKI</A> or Public Key Infrastructure.
10192 With many vendors selling such products and many large organisations
10193 building these infrastructures, this will clearly be an important
10194 application of IPSEC and one Linux FreeS/WAN will eventually support.</P>
10195 <P>On the other hand, this is not as high a priority for Linux
10196 FreeS/WAN as solutions based on <A href="#SDNS">secure DNS</A>. We do
10197 not expect any PKI to become as universal as DNS.</P>
10198 <P>Some <A href="#patch">patches</A> to handle authentication with
10199 X.509 certificates, which most PKIs use, are available.</P>
10200 <H4><A name="photuris">Photuris</A></H4>
10201 <P><A href="#photuris"> Photuris</A> is another key management
10202 protocol, an alternative to IKE and ISAKMP, described in RFCs 2522 and
10203 2523 which are labelled "experimental". Adding Photuris support to
10204 Linux FreeS/WAN might be a good project for a volunteer. The likely
10205 starting point would be the OpenBSD photurisd code.</P>
10206 <H4><A name="skip">SKIP</A></H4>
10207 <P><A href="#SKIP">SKIP</A> is yet another key management protocol,
10208 developed by Sun. At one point it was fairly widely used, but our
10209 current impression is that it is moribund, displaced by IKE. Sun now
10210 (as of Solaris 8.0) ship an IPSEC implementation using IKE. We have no
10211 plans to implement SKIP.</P>
10213 <H1><A name="lists">Mailing lists and newsgroups</A></H1>
10214 <H2><A name="list.fs">Mailing lists about FreeS/WAN</A></H2>
10215 <H3><A name="projlist">The project mailing lists</A></H3>
10216 The Linux FreeS/WAN project has several email lists for user support,
10217 bug reports and software development discussions.
10218 <P> We had a single list on clinet.fi for several years (Thanks,
10219 folks!), then one list on freeswan.org, but now we've split into
10222 <DT><A href="mailto:users-request@lists.freeswan.org?body=subscribe">
10226 <LI>The general list for discussing use of the software </LI>
10227 <LI>The place for seeking <STRONG>help with problems</STRONG> (but
10228 please check the <A href="faq.html">FAQ</A> first). </LI>
10229 <LI>Anyone can post. </LI>
10232 <DT><A href="mailto:bugs-request@lists.freeswan.org?body=subscribe">bugs</A>
10236 <LI>For <STRONG>bug reports</STRONG>. </LI>
10237 <LI>If you are not certain what is going on -- could be a bug, a
10238 configuration error, a network problem, ... -- please post to the
10239 users list instead. </LI>
10240 <LI>Anyone can post. </LI>
10243 <DT><A href="mailto:design-request@lists.freeswan.org?body=subscribe">
10247 <LI><STRONG>Design discussions</STRONG>, for people working on
10248 FreeS/WAN development or others with an interest in design and
10249 security issues. </LI>
10250 <LI>It would be a good idea to read the existing design papers (see
10251 this <A href="#applied">list</A>) before posting. </LI>
10252 <LI>Anyone can post. </LI>
10255 <DT><A href="mailto:announce-request@lists.freeswan.org?body=subscribe">
10259 <LI>A <STRONG>low-traffic</STRONG> list. </LI>
10260 <LI><STRONG>Announcements</STRONG> about FreeS/WAN and related
10262 <LI>All posts here are also sent to the users list. You need not
10263 subscribe to both. </LI>
10264 <LI>Only the FreeS/WAN team can post. </LI>
10265 <LI>If you have something you feel should go on this list, send it to <VAR>
10266 announce-admin@lists.freeswan.org</VAR>. Unless it is obvious, please
10267 include a short note explaining why we should post it.</LI>
10270 <DT><A href="mailto:briefs-request@lists.freeswan.org?body=subscribe">
10274 <LI>A <STRONG>low-traffic</STRONG> list. </LI>
10275 <LI><STRONG>Weekly summaries</STRONG> of activity on the users list. </LI>
10276 <LI>All posts here are also sent to the users list. You need not
10277 subscribe to both. </LI>
10278 <LI>Only the FreeS/WAN team can post. </LI>
10282 To subscribe to any of these, you can:
10284 <LI>just follow the links above </LI>
10285 <LI>use our <A href="http://www.freeswan.org/mail.html">web interface</A>
10287 <LI>send mail to <VAR>listname</VAR>-request@lists.freeswan.org with a
10288 one-line message body "subscribe" </LI>
10290 <P> Archives of these lists are available via the <A href="http://www.freeswan.org/mail.html">
10291 web interface</A>. </P>
10292 <H4><A name="policy.list">List policies</A></H4>
10293 <STRONG> US citizens or residents are asked not to post code to the
10294 lists, not even one-line bug fixes</STRONG>. The project cannot accept
10295 code which might entangle it in US <A href="#exlaw">export restrictions</A>
10297 <P> Non-subscribers can post to some of these lists. This is necessary;
10298 someone working on a gateway install who encounters a problem may not
10299 have access to a subscribed account. </P>
10300 <P> Some spam turns up on these lists from time to time. For discussion
10301 of why we do not attempt to filter it, see the <A href="#spam">FAQ</A>.
10302 Please do not clutter the lists with complaints about this. </P>
10303 <H3><A name="archive">Archives of the lists</A></H3>
10304 <P> Searchable archives of the old single list have existed for some
10305 time. At time of writing, it is not yet clear how they will change for
10306 the new multi-list structure.</P>
10308 <LI><A href="http://www.sandelman.ottawa.on.ca/linux-ipsec">Canada</A></LI>
10309 <LI><A href="http://www.nexial.com">Holland</A></LI>
10311 <P> Note that these use different search engines. Try both.</P>
10312 <P> Archives of the new lists are available via the <A href="http://www.freeswan.org/mail.html">
10313 web interface</A>. </P>
10314 <H2><A name="indexes">Indexes of mailing lists</A></H2>
10315 <P><A href="http://paml.net/"> PAML</A> is the standard reference for <STRONG>
10316 P</STRONG>ublicly <STRONG>A</STRONG>ccessible <STRONG>M</STRONG>ailing <STRONG>
10317 L</STRONG>ists. When we last checked, it had over 7500 lists on an
10318 amazing variety of topics. It also has FAQ information and a search
10320 <P> There is an index of <A href="http://oslab.snu.ac.kr/~djshin/linux/mail-list/index.shtml">
10321 Linux mailing lists</A> available.</P>
10322 <P> A list of <A href="http://xforce.iss.net/maillists/otherlists.php">
10323 computer security mailing lists</A>, with descriptions.</P>
10324 <H2><A name="otherlists">Lists for related software and topics</A></H2>
10325 <P> Most links in this section point to subscription addresses for the
10326 various lists. Send the one-line message "subscribe <VAR>list_name</VAR>
10327 " to subscribe to any of them.</P>
10328 <H3><A name="linux.lists">Linux mailing lists</A></H3>
10330 <LI><A href="mailto:majordomo@vger.kernel.org">
10331 linux-admin@vger.kernel.org</A>, for Linux system administrators</LI>
10332 <LI><A href="mailto:majordomo@rustcorp.com">ipchains@rustcorp.com</A>,
10333 about the IPchains firewall tool</LI>
10334 <LI><A href="mailto:majordomo@samba.anu.edu.au">
10335 netfilter@samba.anu.edu.au</A>, about Netfilter, which replaces
10336 IPchains in kernels 2.3.15 and later</LI>
10337 <LI><A href="mailto:securedistros-request@humbolt.geo.uu.nl">
10338 securedistros@humbolt.geo.uu.nl</A>, for discussion of issues common
10339 to all the half dozen projects working on secure Linux distributions.
10340 Each project also has its own mailing list.
10342 <LI><A href="bastille-linux-discuss@lists.sourceforge.net">Bastille
10343 Linux</A> scripts to harden Redhat, e.g. by changing permissions and
10344 modifying inialisation scripts</LI>
10345 <LI><A href="http://immunix.org/">Immunix</A> take a different
10346 approach, using a modified compiler to build kernel and utilities
10347 with better resistance to various types of overflow and exploit</LI>
10350 <LI><A href="mailto:security-audit-request@ferret.lmh.ox.ac.uk">
10351 security-audit@ferret.lmh.ox.ac.uk</A>, for people working on security
10352 audits of various Linux programs</LI>
10353 <LI>the <A href="#NSA">NSA</A> have contractors working on a Security
10354 Enhanced Linux, primaily adding stronger access control mechanisms.
10355 You can download the current version (which interestingly is under GPL
10356 and not export resrtricted) or subscribe to the mailing list from the <A
10357 href="http://www.nsa.gov/selinux">project web page</A>. </LI>
10359 <H3><A name="ietf">Lists for IETF working groups</A></H3>
10360 <P>Each <A href="#IETF">IETF</A> working group has an associated
10361 mailing list where much of the work takes place.</P>
10363 <LI><A href="mailto:majordomo@lists.tislabs.com">ipsec@lists.tislabs.com</A>
10364 , the IPSEC <A href="http://www.ietf.org/html.charters/ipsec-charter.html">
10365 working group</A>. This is where the protocols are discussed, new
10366 drafts announced, and so on. By now, the IPSEC working group is
10367 winding down since the work is essentially complete. A <A href="http://www.sandelman.ottawa.on.ca/ipsec/">
10368 list archive</A> is available.</LI>
10369 <LI><A href="mailto:ipsec-policy-request@vpnc.org">IPSEC policy</A>
10370 list, and its <A href="http://www.vpnc.org/ipsec-policy/">archive</A></LI>
10371 <LI><A href="mailto:ietf-ipsra-request@vpnc.org">IP secure remote
10372 access</A> list, and its <A href="http://www.vpnc.org/ietf-ipsra/mail-archive/">
10375 <H3><A name="other">Other mailing lists</A></H3>
10377 <LI><A href="mailto:ipc-announce-request@privacy.org">
10378 ipc-announce@privacy.org</A> a low-traffic list with announcements of
10379 developments in privacy, encryption and online civil rights</LI>
10380 <LI>a VPN mailing list's <A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
10383 <H2><A name="newsgroups">Usenet newsgroups</A></H2>
10386 <LI>sci.crypt.research</LI>
10387 <LI>comp.dcom.vpn</LI>
10388 <LI>talk.politics.crypto</LI>
10391 <H1><A name="weblink">Web links</A></H1>
10392 <H2><A name="freeswan">The Linux FreeS/WAN Project</A></H2>
10393 <P>The main project web site is <A href="http://www.freeswan.org/">
10394 www.freeswan.org</A>.</P>
10395 <P>Links to other project-related <A href="#webdocs">sites</A> are
10396 provided in our introduction section.</P>
10397 <H3><A name="patch">Add-ons and patches for FreeS/WAN</A></H3>
10398 <P> Some user-contributed patches gave been integrated into the
10399 FreeS/WAN distribution. For a variety of reasons, those listed below
10401 <P>Patches believed current at time of writing (March 2001, just before
10404 <LI><A href="http://www.zengl.net/freeswan/download/">patches and
10405 utilities</A> for using FreeS/WAN with PGPnet</LI>
10406 <LI>patches for <A href="http://www.strongsec.com/freeswan/">X.509
10407 certificate support</A>, also available from a <A href="http://www.twi.ch/~sna/strongsec/freeswan/">
10408 mirror site</A></LI>
10409 <LI>a <A href="http://tzukanov.narod.ru/">series</A> of patches that
10411 <LI>provide GOST, a Russian gov't. standard cipher, in MMX assembler </LI>
10412 <LI>add GOST to OpenSSL </LI>
10413 <LI>add GOST to the International kernel patch </LI>
10414 <LI>let FreeS/WAN use International kernel patch ciphers </LI>
10417 <LI><A href="http://www.ipv6.iabg.de/downloadframe/index.html">IPv6
10420 <P> Before using these, check the <A href="mail.html">mailing list</A>
10421 for news of newer versions and to see whether they have been
10422 incorporated into more recent versions of FreeS/WAN.</P>
10423 <P><STRONG> Note:</STRONG> At one point the way PGP generates RSA keys
10424 and the way FreeS/WAN checks them for validity before using them were
10425 slightly different, so quite a few PGP-generated keys would be rejected
10426 by FreeS/WAN, confusing users no end. This is fixed in 1.9. </P>
10427 <P> A set of PKIX patches were recently announced on the mailing list:</P>
10429 Subject: a different PKIX patch.
10430 Date: Mon, 5 Mar 2001
10431 From: Luc Lanthier <firesoul@netwinder.org>
10433 I'd like to invite volunteers to use the now-complete PKIX project I've
10434 been working on since about August. Because of this, the patch is for
10435 FreeSWAN 1.5, not 1.8... I haven't really felt the need to update it since
10436 I don't use IPV6 nor DNSSec.
10438 This is similar, but different than Andreas Steffen's pkix
10439 implementation. I've based this work on Neil Dunbar's openssl-pkix patch
10440 for FreeSWAN 1.1. I've updated it to run on FreeSWAN 1.5 correctly, and
10441 added support for ID_DER_ASN1_DN ID packet support. It will do LDAP
10442 certificate lookups no problem, as well as local flatfile, directory, or
10443 DB lookup for testing or speed.
10445 IE: It's a full CA-compatible client, capable of looking up, checking the
10446 CRL for expiry and such. It will not only do the classic PSK and RSASIG
10447 freeswan methods just fine, but also does PKIX's RSASIG, PKE and
10448 RPKE. I've spent a lot of time adding RoadWarrior support for these last
10449 IKE exchange methods.
10451 The patch can be found as:
10452 ftp://ftp.netwinder.org/users/f/firesoul/freeswan-1.5-pkix_13.patch
10453 There are also freeswan-1.5 - kernel 2.4 patches for those who need them.
10455 Let me know. Feedback is appreciated.
10457 <P> Older patches:</P>
10459 <LI>Neil Dunbar's patches for <A href="ftp://hplose.hpl.hp.com/pub/nd/pluto-openssl.tar.gz">
10460 certificate support</A>, using code from <A href="www.openssl.com">
10462 <LI><A href="ftp://ftp.heise.de/pub/ct/listings/9916-180.tgz">patches</A>
10463 to add <A href="#Blowfish">Blowfish</A>, <A href="#IDEA">IDEA</A> and <A
10464 href="#CAST128">CAST-128</A> to FreeS/WAN</LI>
10465 <LI><A href="http://www.cendio.se/~bellman/aggressive-pluto.snap.tar.gz">
10466 patches</A> for aggressive mode support </LI>
10468 <P> These patches are for older versions of FreeS/WAN and will likely
10469 not work with the current version. Older versions of FreeS/WAN may be
10470 available on some of the <A href="intro.html#site">distribution sites</A>
10471 , but we recommend using the current release.</P>
10472 <H4><A name="VPN.masq">VPN masquerade patches</A></H4>
10473 Finally, there are some patches to other code that may be useful with
10476 <LI>a <A href="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html">
10477 patch</A> to make IPSEC, PPTP and SSH VPNs work through a Linux
10478 firewall with <A href="#masq">IP masquerade</A>. </LI>
10479 <LI><A href="http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html">
10480 Linux VPN Masquerade HOWTO</A></LI>
10482 Note that this is not required if the same machine does IPSEC and
10483 masquerading, only if you want a to locate your IPSEC gateway on a
10484 masqueraded network. See our <A href="#NAT">firewalls</A> document for
10485 discussion of why this is problematic.
10486 <P> At last report, this patch could not co-exist with FreeS/WAN on the
10488 <H3><A name="dist">Distributions including FreeS/WAN</A></H3>
10489 <P>The introductory section of our document set lists several <A href="#distwith">
10490 Linux distributions</A> which include FreeS/WAN.</P>
10491 <H3><A name="used">Things FreeS/WAN uses or could use</A></H3>
10493 <LI><A href="http://openpgp.net/random">/dev/random</A> support page,
10494 discussion of and code for the Linux <A href="#random">random number
10495 driver</A>. Out-of-date when we last checked (January 2000), but still
10497 <LI>other programs related to random numbers:
10499 <LI><A href="http://www.mindrot.org/code/audio-entropyd.php3">audio
10500 entropy daemon</A> to gather noise from a sound card and feed it into
10502 <LI>an <A href="http://www.lothar.com/tech/crypto/">entropy-gathering
10504 <LI>a driver for the random number generator in recent <A href="http://gtf.org/garzik/drivers/i810_rng/">
10505 Intel chipsets</A></LI>
10508 <LI>a Linux <A href="http://www.marko.net/l2tp/">L2TP Daemon</A> which
10509 might be useful for communicating with Windows 2000 which builds L2TP
10510 tunnels over its IPSEC connections</LI>
10511 <LI><A href="http://www.bhconsult.com/packetspy/">packet spy</A>, a
10512 packet sniffer whose author said in a Dec 1999 message "It's very
10513 unfinished, especially the filter, but it can give you an ascii and
10514 hex dump at the same time. I started it specifically for snooping a
10515 FreeS/WAN installation."</LI>
10516 <LI>to use opportunistic encryption, you need a recent version of <A href="#BIND">
10517 BIND</A>. Get one from the <A href="ftp://ftp.xs4all.nl/pub/crypto/freeswan">
10518 FreeS/WAN site</A> or from the <A href="http://www.isc.org">Internet
10519 Software Consortium</A> who maintain BIND. </LI>
10521 <H3><A name="alternatives">Other approaches to VPNs for Linux</A></H3>
10523 <LI>other Linux <A href="#linuxIPSEC">IPSEC implementations</A></LI>
10524 <LI><A href="http://www.tik.ee.ethz.ch/~skip/">ENskip</A>, a free
10525 implementation of Sun's <A href="#SKIP">SKIP</A> protocol</LI>
10526 <LI><A href="http://sunsite.auc.dk/vpnd/">vpnd</A>, a non-IPSEC VPN
10527 daemon for Linux which creates tunnels using <A href="#Blowfish">
10528 Blowfish</A> encryption</LI>
10529 <LI><A href="http://www.winton.org.uk/zebedee/">Zebedee</A>, a simple
10530 GPLd tunnel-building program with Linux and Win32 versions. The name
10531 is from <STRONG> Z</STRONG>lib compression, <STRONG>B</STRONG>lowfish
10532 encryption and <STRONG>D</STRONG>iffie-Hellman key exchange.</LI>
10533 <LI>LinuxCare's <A href="http://www.strongcrypto.com/">VPS (Virtual
10534 Private Server)</A> which builds tunnels using <A href="#SSH">SSH</A></LI>
10535 <LI>Moreton Bay's <A href="http://www.moretonbay.com/vpn/pptp.html">
10536 PoPToP</A>, PPTP for Linux</LI>
10537 <LI><A href="http://sites.inka.de/sites/bigred/devel/cipe.html">CIPE</A>
10538 (crypto IP routers) project, using their own lightweight protocol to
10539 encrypt between routers</LI>
10540 <LI><A href="http://vtun.netpedia.net/">vtun</A> "virtual tunnels",
10541 using Blowfish</LI>
10542 <LI><A href="http://tinc.nl.linux.org/">tinc</A>, a VPN Daemon</LI>
10544 <P> There is a list of <A href="http://www.securityportal.com/lskb/10000000/kben10000005.html">
10545 Linux VPN</A> software in the <A href="http://www.securityportal.com/lskb/kben00000001.html">
10546 Linux Security Knowledge Base</A>. </P>
10547 <H2><A name="ipsec.link">The IPSEC Protocols</A></H2>
10548 <H3><A name="general">General IPSEC or VPN information</A></H3>
10550 <LI>The <A href="http://www.vpnc.org">VPN Consortium</A> is a group for
10551 vendors of IPSEC products. Among other things, they have a good
10552 collection of <A href="http://www.vpnc.org/white-papers.html">IPSEC
10553 white papers</A>.</LI>
10554 <LI>A VPN mailing list with a <A href="http://kubarb.phsx.ukans.edu/~tbird/vpn.html">
10555 home page</A>, a FAQ, some product comparisons, and many links.</LI>
10556 <LI>A list of <A href="http://www.cs.umass.edu/~lmccarth/ipsec.html">
10557 IPSEC links</A> from Lewis McCarthy at U Mass.</LI>
10558 <LI><A href="http://www.opus1.com/vpn/index.html">VPN pointer page</A></LI>
10559 <LI>a <A href="http://www.epm.ornl.gov/~dunigan/vpn.html">collection</A>
10560 of VPN links, and some explanation </LI>
10562 <H3><A name="overview">IPSEC overview documents or slide sets</A></H3>
10564 <LI>the FreeS/WAN <A href="ipsec.html">document section</A> on these
10566 <LI>A good <A href="http://www.data.com/tutorials/bullet.html">
10567 introductory article </A> with links to several articles on related
10569 <LI><A href="http://www.ipsec.com/ipsectech.html">SSH Communications
10571 <LI>Timestep Corporation's tutorial: go to their <A href="http://www.timestep.com">
10572 web site</A>, then follow the "VPN Overview" link</LI>
10574 <H3><A name="otherlang">IPSEC information in languages other than
10577 <LI><A href="http://www.imib.med.tu-dresden.de/imib/Internet/Literatur/ipsec-docu.html">
10579 <LI><A href="http://www.kame.net/index-j.html">Japanese</A></LI>
10581 <H3><A name="RFCs1">RFCs and other reference documents</A></H3>
10583 <LI><A href="rfc.html">Our document</A> listing the RFCs relevant to
10584 Linux FreeS/WAN and giving various ways of obtaining both RFCs and
10585 Internet Drafts.</LI>
10586 <LI><A href="http://www.vpnc.org/ipsec-standards.html">IPSEC standards</A>
10587 page maintained by <A href="#VPNC">VPNC</A>. This covers both RFCs and
10588 Drafts, and classifies them in a fairly helpful way.</LI>
10589 <LI><A href="http://www.rfc-editor.org">RFC archive</A></LI>
10590 <LI><A href="http://www.ietf.org/ids.by.wg/ipsec.html">Internet Drafts</A>
10591 related to IPSEC</LI>
10592 <LI>US government <A href="http://www.itl.nist.gov/div897/pubs"> site</A>
10593 with their <A href="#FIPS">FIPS</A> standards</LI>
10594 <LI>Archives of the ipsec@tis.com mailing list where discussion of
10595 drafts takes place.
10597 <LI><A href="http://www.sandelman.ottawa.on.ca/ipsec">Eastern Canada</A>
10599 <LI><A href="http://www.vpnc.org/ietf-ipsec">California</A>.</LI>
10603 <H3><A name="analysis">Analysis and critiques of IPSEC protocols</A></H3>
10605 <LI>Counterpane's <A href="http://www.counterpane.com/ipsec.pdf">
10606 evaluation</A> of the protocols</LI>
10607 <LI>Simpson's <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/06/msg00319.html">
10608 IKE Considered Dangerous</A> paper. Note that this is a link to an
10609 archive of our mailing list. There are several replies in addition to
10610 the paper itself.</LI>
10611 <LI>Bellovin's <A href="http://www.research.att.com/~smb/papers/index.html">
10612 papers</A> page including his:
10614 <LI>Security Problems in the TCP/IP Protocol Suite (1989)</LI>
10615 <LI>Problem Areas for the IP Security Protocols (1996)</LI>
10616 <LI>Probable Plaintext Cryptanalysis of the IP Security Protocols
10620 <LI>Catherine Meadows of NRL applied the NRL Protocol Analyzer to IKE.
10621 Her paper is available in <A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.pdf">
10622 PDF</A> or <A href="http://chacs.nrl.navy.mil/publications/CHACS/1999/1999meadows-IEEE99.ps">
10623 Postscript</A>.</LI>
10624 <LI>An <A href="http://www.lounge.org/ike_doi_errata.html">errata list</A>
10625 for the IPSEC RFCs.</LI>
10627 <H3><A name="IP.background">Background information on IP</A></H3>
10629 <LI>An introduction to <A href="http://www.3com.com/nsc/501302.html">IP
10630 addressing</A> from 3Com</LI>
10631 <LI>An <A href="http://ipprimer.windsorcs.com/">IP tutorial</A> that
10632 seems to be written mainly for Netware or Microsoft LAN admins
10633 entering a new world</LI>
10634 <LI><A href="http://www.iana.org">IANA</A>, Internet Assigned Numbers
10636 <LI><A href="http://public.pacbell.net/dedicated/cidr.html">CIDR</A>,
10637 Classless Inter-Domain Routing</LI>
10638 <LI>Also see our <A href="biblio.html">bibliography</A></LI>
10640 <H2><A name="implement">IPSEC Implementations</A></H2>
10641 <H3><A name="linuxprod">Linux products</A></H3>
10642 <P> Vendors using FreeS/WAN in turnkey firewall or VPN products are
10643 listed in our <A href="#turnkey">introduction</A>.</P>
10644 <P>Other vendors have Linux IPSEC products which, as far as we know, do
10645 not use FreeS/WAN</P>
10647 <LI><A href="http://www.redcreek.com/products/shareware.html">Redcreek</A>
10648 provide an open source Linux driver for their PCI hardware VPN card.
10649 This card has a 100 Mbit Ethernet port, an Intel 960 CPU plus more
10650 specialised crypto chips, and claimed encryption performance of 45
10651 Mbit/sec. The PC sees it as an Ethernet board.</LI>
10652 <LI><A href="http://linuxtoday.com/stories/8428.html?nn">Paktronix</A>
10653 offer a Linux-based VPN with hardware encryption </LI>
10654 <LI>According to a report on our mailing list, <A href="http://www.watchguard.com/">
10655 Watchguard</A> use Linux in their Firebox product.</LI>
10656 <LI><A href="http://www.entrust.com">Entrust</A> offer a developers'
10657 toolkit for using their <A href="#PKI">PKI</A> for IPSEC
10658 authentication</LI>
10659 <LI>According to a report on our mailing list, <A href="www.axent.com">
10660 Axent</A> have a Linux version of their product. </LI>
10662 <H3><A name="router">IPSEC in router products</A></H3>
10663 <P> All the major router vendors support IPSEC, at least in some models.</P>
10665 <LI><A href="http://www.cisco.com/warp/public/707/16.html">Cisco</A>
10666 IPSEC information</LI>
10667 <LI><A href="http://www.ascend.com/">Ascend</A>, now part of Lucent,
10668 have some IPSEC-based products</LI>
10669 <LI><A href="http://www.nortelnetworks.com/">Bay Networks</A>, now part
10670 of Nortel, use IPSEC in their Contivity switch product line</LI>
10671 <LI><A href="http://www.3com.com/products/enterprise.html">3Com</A>
10672 have a number of VPN products, some using IPSEC</LI>
10674 <H3><A name="fw.web">IPSEC in firewall products</A></H3>
10675 Many firewall vendors offer IPSEC, either as a standard part of their
10676 product, or an optional extra. A few we know about are:
10678 <LI><A href="http://www.borderware.com/">Borderware</A></LI>
10679 <LI><A href="http://www.ashleylaurent.com/vpn/ipsec_vpn.htm">Ashley
10681 <LI><A href="http://www.watchguard.com">Watchguard</A></LI>
10682 <LI><A href="http://www.fx.dk/firewall/ipsec.html">Injoy</A> for OS/2 </LI>
10684 <P> Vendors using FreeS/WAN in turnkey firewall products are listed in
10685 our <A href="turnkey">introduction</A>.</P>
10686 <H3><A name="ipsecos">Operating systems with IPSEC support</A></H3>
10687 <P>All the major open source operating systems support IPSEC. See below
10688 for details on <A href="#BSD">BSD-derived</A> Unix variants.</P>
10689 <P>Among commercial OS vendors, IPSEC players include:</P>
10691 <LI><A href="http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/msdn_ip_security.htm">
10692 Microsoft</A> have put IPSEC in their Windows 2000 products</LI>
10693 <LI>Apple's <A href="http://www.appleinsider.com/macosx.shtml">Mac OS X</A>
10694 has IPSEC support built in</LI>
10695 <LI><A href="http://www.s390.ibm.com/stories/1999/os390v2r8_pr.html">IBM</A>
10696 announce a release of OS390 with IPSEC support via a crypto
10698 <LI><A href="http://www.sun.com/solaris/ds/ds-security/ds-security.pdf">
10699 Sun</A> include IPSEC in Solaris 8</LI>
10700 <LI><A href="http://www.hp.com/security/products/extranet-security.html">
10701 Hewlett Packard</A> offer IPSEC for their Unix machines</LI>
10703 <H3><A name="opensource">Open source IPSEC implementations</A></H3>
10704 <H4><A name="linuxIPSEC">Other Linux IPSEC implementations</A></H4>
10705 <P>We like to think of FreeS/WAN as <EM>the</EM> Linux IPSEC
10706 implementation, but it is not the only one. Others we know of are:</P>
10708 <LI><A href="http://www.enst.fr/~beyssac/pipsec/">pipsecd</A>, a
10709 lightweight implementation of IPSEC for Linux. Does not require kernel
10710 recompilation.</LI>
10711 <LI>Petr Novak's <A href="ftp://ftp.eunet.cz/icz/ipnsec/">ipnsec</A>,
10712 based on the OpenBSD IPSEC code and using <A href="#photuris">Photuris</A>
10713 for key management</LI>
10714 <LI>A now defunct project at <A href="http://www.cs.arizona.edu/security/hpcc-blue/linux.html">
10715 U of Arizona</A> (export controlled)</LI>
10716 <LI><A href="http://snad.ncsl.nist.gov/cerberus">NIST Cerebus</A>
10717 (export controlled)</LI>
10719 <H4><A name="BSD">IPSEC for BSD Unix</A></H4>
10721 <LI><A href="http://www.kame.net/project-overview.html">KAME</A>,
10722 several large Japanese companies co-operating on IPv6 and IPSEC</LI>
10723 <LI><A href="http://web.mit.edu/network/isakmp">US Naval Research Lab</A>
10724 implementation of IPv6 and of IPSEC for IPv4 (export controlled)</LI>
10725 <LI><A href="http://www.openbsd.org/crypto">OpenBSD</A> includes IPSEC
10726 as a standard part of the distribution</LI>
10727 <LI><A href="http://www.r4k.net/ipsec">IPSEC for FreeBSD</A></LI>
10728 <LI>a <A href="http://www.netbsd.org/Documentation/network/ipsec/">FAQ</A>
10729 on NetBSD's IPSEC implementation</LI>
10731 <H4><A name="misc">IPSEC for other systems</A></H4>
10733 <LI><A href="http://www.tcm.hut.fi/Tutkimus/IPSEC/">Helsinki U of
10734 Technolgy</A> have implemented IPSEC for Solaris, Java and Macintosh</LI>
10736 <H3><A name="interop">Interoperability</A></H3>
10737 <P> The IPSEC protocols are designed so that different implementations
10738 should be able to work together. As they say "the devil is in the
10739 details". IPSEC has a lot of details, but considerable success has been
10741 <H4><A name="result">Interoperability results</A></H4>
10742 <P> Linux FreeS/WAN has been tested for interoperability with many
10743 other IPSEC implementations. Results to date are in our <A href="interop.html">
10744 interoperability</A> section.</P>
10745 <P>Various other sites have information on interoperability between
10746 various IPSEC implementations:</P>
10748 <LI><A href="http://www.opus1.com/vpn/atl99display.html">interop
10749 results</A> from a bakeoff in Atlanta, September 1999.</LI>
10750 <LI>a French company, HSC's, <A href="http://www.hsc.fr/ressources/presentations/ipsec99/index.html.en">
10751 interoperability</A> test data covers FreeS/WAN, Open BSD, KAME, Linux
10752 pipsecd, Checkpoint, Red Creek Ravlin, and Cisco IOS</LI>
10753 <LI><A href="http://www.icsa.net/">ICSA</A> offer certification
10754 programs for various security-related products. See their list of <A href="http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml">
10755 certified IPSEC</A> products. Linux FreeS/WAN is not currently on that
10756 list, but several products with which we interoperate are.</LI>
10757 <LI>VPNC have a page on why they are not yet doing <A href="http://www.vpnc.org/interop.html">
10758 interoperability</A> testing and a page on the <A href="http://www.vpnc.org/conformance.html">
10759 spec conformance</A> testing that they are doning</LI>
10760 <LI>a <A href="http://www.commweb.com/article/COM20000912S0009">review</A>
10761 comparing a dozen commercial IPSEC implemetations. Unfortunately, the
10762 reviewers did not look at Open Source implementations such as
10763 FreeS/WAN or OpenBSD.</LI>
10764 <LI><A href="http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html">
10765 results</A> from interoperability tests at a conference. FreeS/WAN was
10766 not tested there.</LI>
10767 <LI>test results from the <A href="http://www.hsc.fr/ressources/veille/ipsec/ipsec2000/">
10768 IPSEC 2000</A> conference </LI>
10770 <H4><A name="test1">Interoperability test sites</A></H4>
10772 <LI><A href="http://www.tahi.org/">TAHI</A>, a Japanese IPv6 testing
10773 project with free IPSEC validation software </LI>
10774 <LI><A href="http://ipsec-wit.antd.nist.gov">National Institute of
10775 Standards and Technology</A></LI>
10776 <LI><A href="http://www.rsa.com/rsa/SWAN/swan_test1.html">RSA Data
10778 <LI><A href="http://isakmp-test.ssh.fi/">SSH Communications Security</A>
10780 <LI><A href="http://www2.internetdevices.com/arch-lab/interop-testing">
10781 Internet Devices</A></LI>
10783 <H2><A name="linux.link">Linux links</A></H2>
10784 <H3><A name="linux.basic">Basic and tutorial Linux information</A></H3>
10786 <LI>Linux <A href="http://linuxcentral.com/linux/LDP/LDP/gs/gs.html">
10787 Getting Started</A> HOWTO document</LI>
10788 <LI>A getting started guide from the <A href="http://darkwing.uoregon.edu/~cchome/linuxgettingstarted.html">
10789 U of Oregon</A></LI>
10790 <LI>A large <A href="http://www.herring.org/techie.html">link
10791 collection</A> which includes a lot of introductory and tutorial
10792 material on Unix, Linux, the net, . . .</LI>
10794 <H3><A name="general">General Linux sites</A></H3>
10796 <LI><A href="http://members.aa.net/~swear/pedia/index.html">Gary's
10797 Encyclopedia</A>, several thousand Linux links, over 100 categories</LI>
10798 <LI><A href="http://www.freshmeat.net">Freshmeat</A> Linux news</LI>
10799 <LI><A href="http://slashdot.org">Slashdot</A> "News for Nerds"</LI>
10800 <LI><A href="http://www.linux.org">Linux Online</A></LI>
10801 <LI><A href="http://www.linuxhq.com">Linux HQ</A></LI>
10802 <LI><A href="http://www.tux.org">tux.org</A></LI>
10804 <H3><A name="docs1">Documentation</A></H3>
10806 <LI><A href="http://metalab.unc.edu/LDP">Linux Documentation Project</A>
10808 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/META-FAQ.html">Meta-FAQ</A>
10809 guide to Linux information sources</LI>
10810 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/HOWTO-INDEX-3.html">Index
10811 of HOWTO documents</A></LI>
10812 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/Kernel-HOWTO.html">Kernel
10814 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
10815 Security HOWTO</A></LI>
10816 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/Networking-Overview-HOWTO.html">
10817 Networking Overview HOWTO</A></LI>
10818 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/NET-3-HOWTO.html">Net 3
10820 <LI><A href="http://metalab.unc.edu/LDP/LDP/sag/node1.html">System
10821 Administrator's Guide</A></LI>
10822 <LI><A href="http://metalab.unc.edu/LDP/LDP/nag/node1.html">Network
10823 Adminstrator's Guide</A></LI>
10826 <LI><A href="www.oswg.org">Open Source Writers' Group</A>, cover the
10827 BSD derivatives as well as Linux
10829 <LI><A href="http://www.oswg.org/oswg/query/osdi">document index</A></LI>
10830 <LI>some good <A href="">essays</A> on open source ideas</LI>
10833 <LI>Tucows <A href="">Linux HowTo collection</A>, mostly a mirror of
10836 <H3><A name="advroute.web">Advanced routing</A></H3>
10837 <P>The Linux IP stack is getting some new features in 2.4 kernels. Most
10838 are already available as experimental code in 2.3 kernels. Some HowTos
10839 have been written:</P>
10841 <LI>several HowTos for the <A href="http://netfilter.kernelnotes.org/unreliable-guides/index.html">
10842 netfilter</A> firewall code in newer kernels</LI>
10843 <LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4networking.html">
10844 2.4 networking</A> HowTo</LI>
10845 <LI><A href="http://www.ds9a.nl/2.4Networking/HOWTO//cvs/2.4routing/output/2.4routing.html">
10846 2.4 routing</A> HowTo</LI>
10848 <H3><A name="linsec">Security for Linux</A></H3>
10850 <LI><A href="http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html">
10851 Security HOWTO</A></LI>
10852 <LI>Linux Security <A href="http://www.securityportal.com/lskb/kben00000001.html">
10853 Knowledge Base</A></LI>
10854 <LI><A href="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#trinityos">
10855 Trinity OS guide to setting up Linux</A></LI>
10856 <LI><A href="https://www.seifried.org/lasg/">Linux Administrator's
10857 Security Guide</A></LI>
10858 <LI><A href="http://www.ecst.csuchico.edu/~jtmurphy/">Linux security</A>
10860 <LI><A href="http://www.deter.com/unix">Unix security</A> page</LI>
10861 <LI><A href="http://linux01.gwdg.de/~alatham/">PPDD</A> encrypting
10863 <LI><A href="http://fachschaft.physik.uni-bielefeld.de/leute/marc/Encryption-HOWTO/">
10864 Linux Encryption HowTo</A> This does not cover FreeS/WAN (or didn't
10865 when I last checked, April 2000), only gives a pointer to our web
10866 site, but does have some good information on other things.</LI>
10868 <H3><A name="firewall.linux">Linux firewalls</A></H3>
10870 <LI><A href="http://rlz.ne.mediaone.net/linux">Linux Firewall page</A></LI>
10871 <LI><A href="http://ipmasq.cjb.net/">IP Masquerade resource page</A></LI>
10872 <LI><A href="http://www.rustcorp.com/linux/ipchains">IP chains</A>, the
10873 firewall code in 2.2 kernels.</LI>
10874 <LI><A href="http://netfilter.kernelnotes.org/unreliable-guides/index.html">
10875 netfilter</A> firewall code in kernels from 2.3.15 on</LI>
10876 <LI>Our list of general <A href="#firewall">firewall references</A> on
10878 <LI><A href="http://users.dhp.com/~whisper/mason/">Mason</A>, a tool
10879 for automatically configuring Linux firewalls</LI>
10880 <LI><A href="http://seawall.sourceforge.net/">Seattle Firewall</A>
10881 tools for building a firewall using ipchains and FreeS?WAN </LI>
10882 <LI>the web cache software <A href="http://www.squid-cache.org/">squid</A>
10883 and <A href="http://www.squidguard.org/">squidguard</A> which turns
10884 Squid into a filtering web proxy</LI>
10886 <H3><A name="linux.misc">Miscellaneous Linux information</A></H3>
10888 <LI><A href="http://lwn.net/current/dists.php3">List of Linux
10889 distribution vendors</A></LI>
10890 <LI>FAQ for the <A href="http://www.miscellaneous.net/linux/linux-admin-FAQ/linux-admin-FAQ-1.html">
10891 Linux adminstration</A> mailing list</LI>
10892 <LI>A web page about PPTP for Linux with a list of other <A href="http://www.moretonbay.com/vpn/pptp.html">
10893 Linux VPN</A> software</LI>
10895 <H2><A name="crypto.link">Crypto and security links</A></H2>
10896 <H3><A name="security">Crypto and security resources</A></H3>
10897 <H4><A name="std.links">The standard link collections</A></H4>
10898 <P>Two enormous collections of links, each the standard reference in
10901 <DT>Gene Spafford's <A href="http://www.cerias.purdue.edu/coast/hotlist/">
10902 COAST hotlist</A></DT>
10903 <DD>Computer and network security.</DD>
10904 <DT>Peter Gutmann's <A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">
10905 Encryption and Security-related Resources</A></DT>
10906 <DD>Cryptography.</DD>
10908 <H4><A name="FAQ">Frequently Asked Question (FAQ) documents</A></H4>
10910 <LI><A href="http://www.faqs.org/faqs/cryptography-faq/">Cryptography
10912 <LI><A href="http://www.interhack.net/pubs/fwfaq">Firewall FAQ</A></LI>
10913 <LI>A FAQ listing computer security <A href="">mailing lists</A></LI>
10914 <LI><A href="http://www.whitefang.com/sup/secure-faq.html">Secure Unix
10915 Programming FAQ</A></LI>
10916 <LI>FAQs for specific programs are listed in the <A href="#tools">tools</A>
10917 section below.</LI>
10919 <H4><A name="cryptover">Tutorials</A></H4>
10921 <LI>Gary Kessler's <A href="http://www.garykessler.net/library/crypto.html">
10922 Overview of Cryptography</A></LI>
10923 <LI>Terry Ritter's <A href="http://www.io.com/~ritter/LEARNING.HTM">
10924 introduction</A></LI>
10925 <LI>Kurt Seifried's online <A href="http://www.securityportal.com/research/cryptodocs/basic-book/">
10926 introductory book</A></LI>
10927 <LI>Peter Gutman's <A href="http://www.cs.auckland.ac.nz/~pgut001/tutorial/index.html">
10928 cryptography</A> tutorial (500 slides in PDF format)</LI>
10929 <LI>Amir Herzberg of IBM's sildes for his course <A href="http://www.hrl.il.ibm.com/mpay/course.html">
10930 Introduction to Cryptography and Electronic Commerce</A></LI>
10931 <LI>the <A href="http://www.gnupg.org/gph/en/manual/c173.html">concepts
10932 section</A> of the <A href="#GPG">GNU Privacy Guard</A> documentation</LI>
10933 <LI>Bruce Schneier's self-study <A href="http://www.counterpane.com/self-study.html">
10934 cryptanalysis</A> course</LI>
10936 <P>See also the <A href="#interesting">interesting papers</A> section
10938 <H4><A name="standards">Crypto and security standards</A></H4>
10940 <LI><A href="http://csrc.nist.gov/cc">Common Criteria</A>, new
10941 international computer and network security standards to replace the
10942 "Rainbow" series</LI>
10943 <LI>AES <A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
10944 Advanced Encryption Standard </A> which will replace DES</LI>
10945 <LI><A href="http://grouper.ieee.org/groups/1363">IEEE P-1363 public
10946 key standard</A></LI>
10947 <LI>our collection of links for the <A href="#ipsec.link">IPSEC</A>
10949 <LI>history of <A href="http://www.visi.com/crypto/evalhist/index.html">
10950 formal evaluation</A> of security policies and implementation</LI>
10952 <H3><A name="policy">Cryptography law and policy</A></H3>
10953 <H4><A name="legal">Surveys of crypto law</A></H4>
10955 <LI>International survey of <A href="http://cwis.kub.nl/~FRW/PEOPLE/koops/lawsurvy.htm">
10956 crypto law</A>.</LI>
10957 <LI>International survey of <A href="http://rechten.kub.nl/simone/ds-lawsu.htm">
10958 digital signature law</A></LI>
10960 <H4><A name="oppose">Organisations opposing crypto restrictions</A></H4>
10962 <LI>The <A href="#EFF">EFF</A>'s archives on <A href="http://www.eff.org/pub/Privacy/">
10963 privacy</A> and <A href="http://www.eff.org/pub/Privacy/ITAR_export/">
10964 export control</A>.</LI>
10965 <LI><A href="www.gilc.org">Global Internet Liberty Campaign</A></LI>
10966 <LI><A href="http://www.cdt.org/crypto">Center for Democracy and
10967 Technology</A></LI>
10968 <LI><A href="http://www.privacyinternational.org/">Privacy
10969 International</A>, who give out <A href="http://www.bigbrotherawards.org/">
10970 Big Brother Awards</A> to snoopy organisations</LI>
10972 <H4><A name="other.policy">Other information on crypto policy</A></H4>
10974 <LI><A href="http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1984.txt">
10975 RFC 1984</A>, the <A href="#IAB">IAB</A> and <A href="#IESG">IESG</A>
10976 Statement on Cryptographic Technology and the Internet.</LI>
10977 <LI>John Young's collection of <A href="http://jya.com/crypto.htm">
10978 documents</A> of interest to the cryptography, open government and
10979 privacy movements, organized chronologically</LI>
10980 <LI>Encryption, Privacy and Security <A href="http://www.crypto.com">
10981 Resource Page</A> with a mainly US focus</LI>
10982 <LI><A href="ftp://ftp.cygnus.com/pub/export/export.html">Cryptography
10983 Export Control Archive</A>, mainly links to court and govenment
10984 documents on various challenges to US law</LI>
10985 <LI>A good <A href="http://cryptome.org/crypto97-ne.htm">overview</A>
10986 of the issues from Australia.</LI>
10988 <P>See also our documentation section on the <A href="politics.html">
10989 history and politics</A> of cryptography.</P>
10990 <H3><A name="crypto.tech">Cryptography technical information</A></H3>
10991 <H4><A name="cryptolinks">Collections of crypto links</A></H4>
10993 <LI><A href="http://www.counterpane.com/hotlist.html">Counterpane</A></LI>
10994 <LI><A href="http://www.cs.auckland.ac.nz/~pgut001/links.html">Peter
10995 Gutman's links</A></LI>
10996 <LI><A href="http://home.cyber.ee/helger/crypto/">Helger Lipmaa's links</A>
10998 <LI><A href="http://www.pca.dfn.de/eng/team/ske/pem-dok.html">PKI links</A>
11000 <LI><A href="http://crypto.yashy.com/www/">Robert Guerra's links</A></LI>
11002 <H4><A name="papers">Lists of online cryptography papers</A></H4>
11004 <LI><A href="http://www.counterpane.com/biblio">Counterpane</A></LI>
11005 <LI><A href="http://www.cryptography.com/resources/papers">
11006 cryptography.com</A></LI>
11007 <LI><A href="http://www.cryptosoft.com/html/secpub.htm">Cryptosoft</A></LI>
11009 <H4><A name="interesting">Particularly interesting papers</A></H4>
11010 <P>These papers emphasize important issues around the use of
11011 cryptography, and the design and management of secure systems.</P>
11013 <LI><A href="http://www.counterpane.com/keylength.html">Key length
11014 requirements for security</A></LI>
11015 <LI><A href="http://www.cl.cam.ac.uk/users/rja14/wcf.html">Why
11016 Cryptosystems Fail</A></LI>
11017 <LI><A href="http://www.cdt.org/crypto/risks98/">Risks of escrowed
11018 encryption</A></LI>
11019 <LI><A href="http://www.counterpane.com/pitfalls.html">Security
11020 pitfalls in cryptography</A></LI>
11021 <LI><A href="http://www.acm.org/classics/sep95">Reflections on Trusting
11022 Trust</A>, Ken Thompson on Trojan horse design</LI>
11023 <LI><A href="http://www.apache-ssl.org/disclosure.pdf">Security against
11024 Compelled Disclosure</A>, how to maintain privacy in the face of legal
11025 or other coersion </LI>
11027 <H3><A name="compsec">Computer and network security</A></H3>
11028 <H4><A name="seclink">Security links</A></H4>
11030 <LI><A href="http://www.cs.purdue.edu/coast/hotlist">COAST Hotlist</A></LI>
11031 <LI>DMOZ open directory project <A href="http://dmoz.org/Computers/Security/">
11032 computer security</A> links</LI>
11033 <LI><A href="http://www.telstra.com.au/info/security.html">Telstra</A></LI>
11034 <LI><A href="http://www-cse.ucsd.edu/users/bsy/sec.html">Bennet Yee</A></LI>
11035 <LI><A href="http://www.excelmail.com">Email Security and PKI Documents</A>
11037 <LI><A href="http://www.opensec.net/">Open SEC</A>, a link farm full of
11038 links to freely available security tools</LI>
11039 <LI>Mike Fuhr's <A href="http://www.fuhr.org/~mfuhr/computers/security.html">
11040 link collection</A></LI>
11041 <LI><A href="http://www.networkintrusion.co.uk/">links</A> with an
11042 emphasis on intrusion detection </LI>
11044 <H4><A name="firewall3">Firewall links</A></H4>
11046 <LI><A href="http://www.cs.purdue.edu/coast/firewalls">COAST firewalls</A>
11048 <LI><A href="http://www.zeuros.co.uk">Firewalls Resource page</A></LI>
11049 <LI><A href="http://www.digital.de/~jmh/fw-stuff.html">Firewall info
11051 <LI><A href="http://www.idx.com.au/~amilev/Firewalls1.htm">Ami
11052 Levartovsky</A></LI>
11054 <H4><A name="vpn">VPN links</A></H4>
11056 <LI><A href="http://www.vpnc.org">VPN Consortium</A></LI>
11057 <LI>First VPN's <A href="http://www.firstvpn.com/research/rhome.html">
11058 white paper</A> collection</LI>
11059 <LI>oddsites.com <A href="http://www.oddsites.com/vpn/">VPN links</A></LI>
11061 <H4><A name="tools">Security tools</A></H4>
11063 <LI><A href="http://www.opensec.net/">Open SEC</A>, a link farm full of
11064 links to freely available security tools</LI>
11065 <LI>PGP -- mail encryption
11067 <LI><A href="http://www.pgp.com/">PGP Inc.</A> (part of NAI) for
11068 commercial versions</LI>
11069 <LI><A href="http://web.mit.edu/network/pgp.html">MIT</A> distributes
11070 the NAI product for non-commercial use</LI>
11071 <LI><A href="http://www.pgpi.org/">international</A> distribution site</LI>
11072 <LI><A href="http://gnupg.org">GNU Privacy Guard (GPG)</A></LI>
11073 <LI><A href="http://www.dk.pgp.net/pgpnet/pgp-faq/">PGP FAQ</A></LI>
11075 A message in our mailing list archive has considerable detail on <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00029.html">
11076 available versions</A> of PGP and on IPSEC support in them. </LI>
11077 <P><STRONG> Note:</STRONG> A fairly nasty bug exists in all commercial
11078 PGP versions from 5.5 through 6.5.3. If you have one of those, read
11079 the <A href="http://www.pgp.com/other/advisories/adk.asp"> security
11080 advisory</A> and <STRONG>upgrade now</STRONG>. </P>
11081 <LI>SSH -- secure remote login
11083 <LI><A href="www.ssh.fi">SSH Communications Security</A>, for the
11084 original software. It is free for trial, academic and non-commercial
11086 <LI><A href="http://www.openssh.com/">Open SSH</A>, the Open BSD
11087 team's free replacement</LI>
11088 <LI><A href="http://www.freessh.org/">freessh.org</A>, links to free
11089 implementations for many systems</LI>
11090 <LI><A href="http://www.uni-karlsruhe.de/~ig25/ssh-faq">SSH FAQ</A></LI>
11091 <LI><A href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">Putty</A>
11092 , an SSH client for Windows </LI>
11095 <LI><A name="ssmail">ssmail -- sendmail patched to do <A href="carpediem">
11096 opportunistic encryption</A>
11098 <LI><A href="http://www.home.aone.net.au/qualcomm/">web page</A> with
11099 links to code and to a Usenix paper describing it, in PDF</LI>
11102 <LI><A href="ftp://ftp.cert.org/pub/tools/cops">COPS</A> Computer
11103 Oracle and Password System; tests a system for various weaknesses</LI>
11104 <LI><A href="http://www.fish.com/~zen/satan/satan.html">SATAN</A>
11105 System Administrators Tool for Analysing Networks</LI>
11106 <LI><A href="http://www.insecure.org/nmap/">NMAP</A> Network Mapper</LI>
11107 <LI><A href="http://ita.ee.lbl.gov/index.html">Internet Traffic Archive</A>
11108 , various tools to analyze network traffic, mostly scripts to organise
11109 and format tcpdump(8) output for specific purposes</LI>
11110 <LI><A href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse
11111 Venema's page</A> with various tools</LI>
11112 <LI><A href="ftp://ftp.cert.org/pub/tools/crack">Crack</A> password
11114 <LI><A href="ftp://coast.cs.purdue.edu/pub/COAST/Tripwire">Tripwire</A>
11115 saves message digests of your system files. Re-calculate the digests
11116 and compare to saved values to detect any file changes.</LI>
11117 <LI><A href="http://all.net/dtk.html">Deception Toolkit</A>, a
11118 collection of "honeypot" servers which emulate widely exploited
11119 weaknesses while logging the attacks.</LI>
11120 <LI><A href="http://www.openca.org/">Open CA</A> project to develop a
11121 freely distributed <A href="#CA">Certification Authority</A> for
11122 building a open <A href="#PKI">Public Key Infrastructure</A>.</LI>
11123 <LI><A href="http://expert.cc.purdue.edu/~frantzen/">ISIC</A>, <STRONG>
11124 IP</STRONG><STRONG> s</STRONG>tack <STRONG>i</STRONG>ntegrity <STRONG>
11125 c</STRONG>hecker, generates legitmate and bogus packets "to test the
11126 stability of an IP Stack and its component stacks (TCP, UDP, ICMP et.
11129 <H3><A name="people">Links to home pages</A></H3>
11130 <P> David Wagner at Berkeley provides a set of links to <A href="http://www.cs.berkeley.edu/~daw/people/crypto.html">
11131 home pages</A> of cryptographers, cypherpunks and computer security
11134 <H1><A name="ourgloss">Glossary for the Linux FreeS/WAN project</A></H1>
11135 <P> Entries are in alphabetical order. Some entries are only one line
11136 or one paragraph long. Others run to several paragraphs. I have tried
11137 to put the essential information in the first paragraph so you can skip
11138 the other paragraphs if that seems appropriate.</P>
11140 <H2><A name="jump">Jump to a letter in the glossary</A></H2>
11141 <CENTER><BIG><B><A href="#0"> numeric</A><A href="#A"> A</A><A href="#B">
11142 B</A><A href="#C"> C</A><A href="#D"> D</A><A href="#E"> E</A><A href="#F">
11143 F</A><A href="#G"> G</A><A href="#H"> H</A><A href="#I"> I</A><A href="#J">
11144 J</A><A href="#K"> K</A><A href="#L"> L</A><A href="#M"> M</A><A href="#N">
11145 N</A><A href="#O"> O</A><A href="#P"> P</A><A href="#Q"> Q</A><A href="#R">
11146 R</A><A href="#S"> S</A><A href="#T"> T</A><A href="#U"> U</A><A href="#V">
11147 V</A><A href="#W"> W</A><A href="#X"> X</A><A href="#Y"> Y</A><A href="#Z">
11148 Z</A></B></BIG></CENTER>
11150 <H2><A name="gloss">Other glossaries</A></H2>
11151 <P>Other glossaries which overlap this one include:</P>
11153 <LI>The VPN Consortium's glossary of <A href="http://www.vpnc.org/terms.html">
11154 VPN terms</A>.</LI>
11155 <LI>glossary portion of the <A href="http://www.rsa.com/rsalabs/faq/html/glossary.html">
11156 Cryptography FAQ</A></LI>
11157 <LI>an extensive crytographic glossary on <A href="http://www.io.com/~ritter/GLOSSARY.HTM">
11158 Terry Ritter's</A> page.</LI>
11159 <LI>The <A href="#NSA">NSA</A>'s <A href="http://www.sans.org/newlook/resources/glossary.htm">
11160 glossary of computer security</A> on the <A href="http://www.sans.org">
11161 SANS Institute</A> site.</LI>
11162 <LI>an <A href="http://www.ietf.org/internet-drafts/draft-shirey-security-glossary-01.txt">
11163 Internet Draft</A> Crypto Glossary</LI>
11164 <LI>a small glossary for Internet Security at <A href="http://www5.zdnet.com/pcmag/pctech/content/special/glossaries/internetsecurity.html">
11165 PC magazine</A></LI>
11166 <LI>The <A href="http://www.visi.com/crypto/inet-crypto/glossary.html">
11167 glossary</A> from Richard Smith's book <A href="#Smith">Internet
11168 Cryptography</A></LI>
11170 <P>Three Internet glossaries are available as RFCs:</P>
11172 <LI><A href="http://www.rfc-editor.org/rfc/rfc1208.txt">Glossary of
11173 Networking Terms</A></LI>
11174 <LI><A href="http://www.rfc-editor.org/rfc/rfc1983.txt">Internet User's
11176 <LI><A href="http://www.rfc-editor.org/rfc/rfc2828.txt">Internet
11177 Security Glossary</A></LI>
11179 <P>More general glossary or dictionary information:</P>
11181 <LI>Free Online Dictionary of Computing (FOLDOC)
11183 <LI><A href="http://www.nightflight.com/foldoc">North America</A></LI>
11184 <LI><A href="http://wombat.doc.ic.ac.uk/foldoc/index.html">Europe</A></LI>
11185 <LI><A href="http://www.nue.org/foldoc/index.html">Japan</A></LI>
11188 <P>There are many more mirrors of this dictionary.</P>
11189 <LI><A href="http://hissa.ncsl.nist.gov/~black/CRCDict/">CRC dictionary
11190 of Computer Science</A></LI>
11191 <LI>The Jargon File, the definitive resource for hacker slang and
11194 <LI><A href="http://www.netmeg.net/jargon">North America</A></LI>
11195 <LI><A href="http://info.wins.uva.nl/~mes/jargon/">Holland</A></LI>
11196 <LI><A href="http://www.tuxedo.org/~esr/jargon">home page</A></LI>
11199 <P>There are also many mirrors of this. See the home page for a list.</P>
11200 <LI>A general <A href="http://www.trinity.edu/~rjensen/245glosf.htm#Navigate">
11201 technology glossary</A></LI>
11202 <LI>An <A href="http://www.yourdictionary.com/">online dictionary
11203 resource page</A> with pointers to many dictionaries for many languages</LI>
11204 <LI>A <A href="http://www.onelook.com/">search engine</A> that accesses
11205 several hundred online dictionaries</LI>
11206 <LI>O'Reilly <A href="http://www.ora.com/reference/dictionary/">
11207 Dictionary of PC Hardware and Data Communications Terms</A></LI>
11209 <P>Internet encyclopedias include:</P>
11211 <LI><A href="http://www.FreeSoft.org/CIE/index.htm">Connected</A></LI>
11212 <LI><A href="http://www.whatis.com/">whatis.com</A></LI>
11215 <H2><A name="definitions">Definitions</A></H2>
11217 <DT><A name="3DES"><A name="0">3DES (Triple DES)</A></A></DT>
11218 <DD>Using three <A href="#DES">DES</A> encryptions on a single data
11219 block, with at least two different keys, to get higher security than
11220 is available from a single DES pass. The three-key version of 3DES is
11221 the default encryption algorithm for <A href="#FreeSWAN">Linux
11222 FreeS/WAN</A>. </DD>
11223 <P><A href="#IPSEC">IPSEC</A> always does 3DES with three different
11224 keys, as required by RFC 2451. For an explanation of the two-key
11225 variant, see <A href="#2key">two key triple DES</A>. Both use an <A href="#EDE">
11226 EDE</A> encrypt-decrypt-encrpyt sequence of operations.</P>
11227 <P>Single <A href="#DES">DES</A> is <A href="#desnotsecure">insecure</A>
11229 <P>Double DES is ineffective. Using two 56-bit keys, one might expect
11230 an attacker to have to do 2<SUP>112</SUP> work to break it. In fact,
11231 only 2<SUP>57</SUP> work is required with a <A href="#meet">
11232 meet-in-the-middle attack</A>, though a large amount of memory is also
11233 required. Triple DES is vulnerable to a similar attack, but that just
11234 reduces the work factor from the 2<SUP>168</SUP> one might expect to 2<SUP>
11235 112</SUP>. That provides adequate protection against <A href="#brute">
11236 brute force</A> attacks, and no better attack is known.</P>
11237 <P>3DES can be somewhat slow compared to other ciphers. It requires
11238 three DES encryptions per block. DES was designed for hardware
11239 implementation and includes some operations which are difficult in
11240 software. However, the speed we get is quite acceptable for many uses.
11241 See <A href="#benchmarks">benchmarks</A> below for details.</P>
11242 <DT><A name="A">A</A></DT>
11243 <DT><A name="active"><A name="A">Active attack</A></A></DT>
11244 <DD>An attack in which the attacker does not merely eavesdrop (see <A href="#passive">
11245 passive attack</A>) but takes action to change, delete, reroute, add,
11246 forge or divert data. Perhaps the best-known active attack is <A href="#middle">
11247 man-in-the-middle</A>. In general, <A href="#authentication">
11248 authentication</A> is a useful defense against active attacks.</DD>
11249 <DT><A name="AES">AES</A></DT>
11250 <DD>The <B>A</B>dvanced <B>E</B>ncryption <B>S</B>tandard, a new <A href="#block">
11251 block cipher</A> standard to replace <A href="#desnotsecure">DES</A>
11252 being developed by <A href="#NIST">NIST</A>, the US National Institute
11253 of Standards and Technology. DES used 64-bit blocks and a 56-bit key.
11254 AES ciphers use a 128-bit block and are required to support 128, 192
11255 and 256-bit keys. Some of them support other sizes as well. The larger
11256 block size helps resist <A href="#birthday">birthday attacks</A> while
11257 the large key size prevents <A href="#brute">brute force attacks</A>. </DD>
11258 <P>Fifteen proposals meeting NIST's basic criteria were submitted in
11259 1998 and subjected to intense discussion and analysis, "round one"
11260 evaluation. In August 1999, NIST narrowed the field to five "round
11261 two" candidates:</P>
11263 <LI><A href="http://www.research.ibm.com/security/mars.html">Mars</A>
11265 <LI><A href="http://www.rsa.com/rsalabs/aes/">RC6</A> from RSA</LI>
11266 <LI><A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">Rijndael</A>
11267 from two Belgian researchers</LI>
11268 <LI><A href="http://www.cl.cam.ac.uk/~rja14/serpent.html">Serpent</A>,
11269 a British-Norwegian-Israeli research collaboration</LI>
11270 <LI><A href="http://www.counterpane.com/twofish.html">Twofish</A> from
11271 the consulting firm Counterpane</LI>
11273 <P> In October 2000, NIST announced the winner -- Rijndael.</P>
11274 <P>Adding one or more AES ciphers to <A href="#FreeSWAN">Linux
11275 FreeS/WAN</A> would be useful undertaking, and considerable freely
11276 available code exists to start from. One complication is that our code
11277 is built for a 64-bit block cipher and AES uses a 128-bit block.
11278 Volunteers via the <A href="#list">mailing lists</A> would be welcome.</P>
11279 <P>For more information, see the <A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
11280 NIST AES home page</A> or the <A href="http://www.ii.uib.no/~larsr/aes.html">
11281 Block Cipher Lounge AES page</A>. For code and benchmarks see <A href="http://www.btinternet.com/~brian.gladman/">
11282 Brian Gladman's page </A> .</P>
11283 <DT><A name="AH">AH</A></DT>
11284 <DD>The <A href="#IPSEC">IPSEC</A><B> A</B>uthentication <B>H</B>eader,
11285 added after the IP header. For details, see our <A href="#overview">
11286 IPSEC Overview</A> document and/or RFC 2402.</DD>
11287 <DT><A name="alicebob">Alice and Bob</A></DT>
11288 <DD>A and B, the standard example users in writing on cryptography and
11289 coding theory. Carol and Dave join them for protocols which require
11290 more players. </DD>
11291 <P><A href="#schneier">Bruce Schneier</A> extends these with many
11292 others such as Eve the Eavesdropper and Victor the Verifier. His
11293 extensions seem to be in the process of becoming standard as well. See
11294 page 23 of <A href="#schneier"> Applied Cryptography</A></P>
11295 <P>Alice and Bob have an amusing <A href="http://www.conceptlabs.co.uk/alicebob.html">
11296 biography</A> on the web.</P>
11298 <DD>see <A href="#DARPA">DARPA</A></DD>
11299 <DT><A name="ASIO">ASIO</A></DT>
11300 <DD>Australian Security Intelligence Organisation.</DD>
11301 <DT>Asymmetric cryptography</DT>
11302 <DD>See <A href="#public">public key cryptography</A>.</DD>
11303 <DT><A name="authentication">Authentication</A></DT>
11304 <DD>Ensuring that a message originated from the expected sender and has
11305 not been altered on route. <A href="#IPSEC">IPSEC</A> uses
11306 authentication in two places: </DD>
11309 <LI>peer authentication, authenticating the players in <A href="#IKE">
11310 IKE</A>'s <A href="#DH">Diffie-Hellman</A> key exchanges to prevent <A href="#middle">
11311 man-in-the-middle attacks</A>. This can be done in a number of ways.
11312 The methods supported by FreeS/WAN are discussed in our <A href="#choose">
11313 configuration</A> document.</LI>
11314 <LI>packet authentication, authenticating packets on an established <A href="#SA">
11315 SA</A>, either with a separate <A href="#AH">authentication header</A>
11316 or with the optional authentication in the <A href="#ESP">ESP</A>
11317 protocol. In either case, packet authentication uses a <A href="#HMAC">
11318 hashed message athentication code</A> technique.</LI>
11320 <P>Outside IPSEC, passwords are perhaps the most common authentication
11321 mechanism. Their function is essentially to authenticate the person's
11322 identity to the system. Passwords are generally only as secure as the
11323 network they travel over. If you send a cleartext password over a
11324 tapped phone line or over a network with a packet sniffer on it, the
11325 security provided by that password becomes zero. Sending an encrypted
11326 password is no better; the attacker merely records it and reuses it at
11327 his convenience. This is called a <A href="#replay">replay</A> attack.</P>
11328 <P>A common solution to this problem is a <A href="#challenge">
11329 challenge-response</A> system. This defeats simple eavesdropping and
11330 replay attacks. Of course an attacker might still try to break the
11331 cryptographic algorithm used, or the <A href="#random"> random number</A>
11333 <DT><A name="auto">Automatic keying</A></DT>
11334 <DD>A mode in which keys are automatically generated at connection
11335 establisment and new keys automaically created periodically
11336 thereafter. Contrast with <A href="#manual">manual keying</A> in which
11337 a single stored key is used. </DD>
11338 <P>IPSEC uses the <A href="#DH">Diffie-Hellman key exchange protocol</A>
11339 to create keys. An <A href="authentication">authentication</A>
11340 mechansim is required for this. The methods supported by FreeS/WAN
11341 are discussed in our <A href="#choose">configuration</A> document.</P>
11342 <P>Having an attacker break the authentication is emphatically not a
11343 good idea. An attacker that breaks authentication, and manages to
11344 subvert some other network entities (DNS, routers or gateways), can
11345 use a <A href="#middle">man-in-the middle attack</A> to break the
11346 security of your IPSEC connections.</P>
11347 <P>However, having an attacker break the authentication in automatic
11348 keying is not quite as bad as losing the key in manual keying.</P>
11350 <LI>An attacker who reads /etc/ipsec.conf and gets the keys for a
11351 manually keyed connection can, without further effort, read all
11352 messages encrypted with those keys, including any old messages he may
11353 have archived.</LI>
11354 <LI>Automatic keying has a property called <A href="#PFS">perfect
11355 forward secrecy</A>. An attacker who breaks the authentication gets
11356 none of the automatically generated keys and cannot immediately read
11357 any messages. He has to mount a successful <A href="#middle">
11358 man-in-the-middle attack</A> in real time before he can read anything.
11359 He cannot read old archived messages at all and will not be able to
11360 read any future messages not caught by man-in-the-middle tricks.</LI>
11362 <P>That said, the secrets used for authentication, stored in <A href="manpage.d/ipsec.secrets.5.html">
11363 ipsec.secrets(5)</A>, should still be protected as tightly as
11364 cryptographic keys.</P>
11365 <DT><A name="B">B</A></DT>
11366 <DT><A href="http://www.nortelnetworks.com">Bay Networks</A></DT>
11367 <DD>A vendor of routers, hubs and related products, now a subsidiary of
11368 Nortel. Interoperation between their IPSEC products and Linux
11369 FreeS/WAN was problematic at last report; see our <A href="#bay">
11370 interoperation</A> section.</DD>
11371 <DT><A name="benchmarks">benchmarks</A></DT>
11372 <DD>Our default block cipher, <A href="#3DES">triple DES</A>, is slower
11373 than many alternate ciphers that might be used. Speeds achieved,
11374 however, seem adequate for many purposes. For example, the assembler
11375 code from the <A href="#LIBDES">LIBDES</A> library we use encrypts 1.6
11376 megabytes per second on a Pentium 200, according to the test program
11377 supplied with the library. </DD>
11378 <P> For more detail, see our document on <A href="performance.html">
11379 FreeS/WAN performance</A>. </P>
11380 <DT><A name="BIND">BIND</A></DT>
11381 <DD><B>B</B>erkeley <B>I</B>nternet <B>N</B>ame <B>D</B>aemon, a widely
11382 used implementation of <A href="#DNS">DNS</A> (Domain Name Service).
11383 See our bibliography for a <A href="#DNS">useful reference</A>. See
11384 the <A href="http://www.isc.org/bind.html">BIND home page</A> for more
11385 information and the latest version.</DD>
11386 <DT><A name="birthday">Birthday attack</A></DT>
11387 <DD>A cryptographic attack based on the mathematics exemplified by the <A
11388 href="#paradox"> birthday paradox</A>. This math turns up whenever the
11389 question of two cryptographic operations producing the same result
11392 <LI><A href="#collision">collisions</A> in <A href="#digest">message
11393 digest</A> functions.</LI>
11394 <LI>identical output blocks from a <A href="#block">block cipher</A></LI>
11395 <LI>repetition of a challenge in a <A href="#challenge">
11396 challenge-response</A> system</LI>
11399 <P>Resisting such attacks is part of the motivation for:</P>
11401 <LI>hash algorithms such as <A href="#SHA">SHA</A> and <A href="#RIPEMD">
11402 RIPEMD-160</A> giving a 160-bit result rather than the 128 bits of <A href="#MD4">
11403 MD4</A>, <A href="#MD5">MD5</A> and <A href="#RIPEMD"> RIPEMD-128</A>.</LI>
11404 <LI><A href="#AES">AES</A> block ciphers using a 128-bit block instead
11405 of the 64-bit block of most current ciphers</LI>
11406 <LI><A href="#IPSEC">IPSEC</A> using a 32-bit counter for packets sent
11407 on an <A href="#auto">automatically keyed</A><A href="#SA"> SA</A> and
11408 requiring that the connection always be rekeyed before the counter
11411 <DT><A name="paradox">Birthday paradox</A></DT>
11412 <DD>Not really a paradox, just a rather counter-intuitive mathematical
11413 fact. In a group of 23 people, the chance of a least one pair having
11414 the same birthday is over 50%. </DD>
11415 <P>The second person has 1 chance in 365 (ignoring leap years) of
11416 matching the first. If they don't match, the third person's chances of
11417 matching one of them are 2/365. The 4th, 3/365, and so on. The total
11418 of these chances grows more quickly than one might guess.</P>
11419 <DT><A name="block">Block cipher</A></DT>
11420 <DD>A <A href="#symmetric">symmetric cipher</A> which operates on
11421 fixed-size blocks of plaintext, giving a block of ciphertext for each.
11422 Contrast with <A href="#stream"> stream cipher</A>. Block ciphers can
11423 be used in various <A href="#mode">modes</A> when multiple block are
11424 to be encrypted. </DD>
11425 <P><A href="#DES">DES</A> is among the the best known and widely used
11426 block ciphers, but is now obsolete. Its 56-bit key size makes it <A href="#desnotsecure">
11427 highly insecure</A> today. <A href="#3DES">Triple DES</A> is the
11428 default transform for <A href="#FreeSWAN">Linux FreeS/WAN</A> because
11429 it is the only cipher which is both required in the <A href="#RFC">RFCs</A>
11430 and apparently secure.</P>
11431 <P>The current generation of block ciphers -- such as <A href="#Blowfish">
11432 Blowfish</A>, <A href="#CAST128">CAST-128</A> and <A href="#IDEA">IDEA</A>
11433 -- all use 64-bit blocks and 128-bit keys. The next generation, <A href="#AES">
11434 AES</A>, uses 128-bit blocks and supports key sizes up to 256 bits.</P>
11435 <P>The <A href="http://www.ii.uib.no/~larsr/bc.html"> Block Cipher
11436 Lounge</A> web site has more information.</P>
11437 <DT><A name="Blowfish">Blowfish</A></DT>
11438 <DD>A <A href="#block">block cipher</A> using 64-bit blocks and keys of
11439 up to 448 bits, designed by <A href="#schneier">Bruce Schneier</A> and
11440 used in several products. </DD>
11441 <P>This is not required by the <A href="#IPSEC">IPSEC</A> RFCs and not
11442 currently used in <A href="#FreeSWAN">Linux FreeS/WAN</A>.</P>
11443 <DT><A name="brute">Brute force attack (exhaustive search)</A></DT>
11444 <DD>Breaking a cipher by trying all possible keys. This is always
11445 possible in theory (except against a <A href="#OTP">one-time pad</A>),
11446 but it becomes practical only if the key size is inadequate. For an
11447 important example, see our document on the <A href="#desnotsecure">
11448 insecurity of DES</A> with its 56-bit key. For an analysis of key
11449 sizes required to resist plausible brute force attacks, see <A href="http://www.counterpane.com/keylength.html">
11450 this paper</A>. </DD>
11451 <P>Longer keys protect against brute force attacks. Each extra bit in
11452 the key doubles the number of possible keys and therefore doubles the
11453 work a brute force attack must do. A large enough key defeats <STRONG>
11454 any</STRONG> brute force attack.</P>
11455 <P>For example, the EFF's <A href="#EFF">DES Cracker</A> searches a
11456 56-bit key space in an average of a few days. Let us assume an
11457 attacker that can find a 64-bit key (256 times harder) by brute force
11458 search in a second (a few hundred thousand times faster). For a 96-bit
11459 key, that attacker needs 2<SUP>32</SUP> seconds, just over a century.
11460 Against a 128-bit key, he needs 2<SUP>32</SUP> centuries or about
11461 400,000,000,000 years. Your data is then obviously secure against
11462 brute force attacks. Even if our estimate of the attacker's speed is
11463 off by a factor of a million, it still takes him 400,000 years to
11464 crack a message.</P>
11467 <LI>single <A href="#DES">DES</A> is now considered <A href="#desnotsecure">
11468 dangerously insecure</A></LI>
11469 <LI>all of the current generation of <A href="#block">block ciphers</A>
11470 use a 128-bit or longer key</LI>
11471 <LI><A href="#AES">AES</A> ciphers support keysizes 128, 192 and 256
11473 <LI>any cipher we add to Linux FreeS/WAN will have <EM>at least</EM> a
11476 <P><STRONG>Cautions:</STRONG>
11477 <BR><EM> Inadequate keylength always indicates a weak cipher</EM> but
11478 it is important to note that <EM>adequate keylength does not
11479 necessarily indicate a strong cipher</EM>. There are many attacks
11480 other than brute force, and adequate keylength <EM>only</EM>
11481 guarantees resistance to brute force. Any cipher, whatever its key
11482 size, will be weak if design or implementation flaws allow other
11484 <P>Also, <EM>once you have adequate keylength</EM> (somewhere around
11485 90 or 100 bits), <EM>adding more key bits make no practical difference</EM>
11486 , even against brute force. Consider our 128-bit example above that
11487 takes 400 billion years to break by brute force. Do we care if an
11488 extra 16 bits of key put that into the quadrillions? No. What about 16
11489 fewer bits reducing it to the 112-bit security level of <A href="#3DES">
11490 Triple DES</A>, which our example attacker could break in just over a
11491 billion years? No again, unless we're being really paranoid about
11492 safety margins.</P>
11493 <P>There may be reasons of convenience in the design of the cipher to
11494 support larger keys. For example <A href="#Blowfish">Blowfish</A>
11495 allows up to 448 bits and <A href="#RC4">RC4</A> up to 2048, but
11496 beyond 100-odd bits it makes no difference to practical security.</P>
11497 <DT>Bureau of Export Administration</DT>
11498 <DD>see <A href="#BXA">BXA</A></DD>
11499 <DT><A name="BXA">BXA</A></DT>
11500 <DD>The US Commerce Department's <B>B</B>ureau of E<B>x</B>port <B> A</B>
11501 dministration which administers the <A href="#EAR">EAR</A> Export
11502 Administration Regulations controling the export of, among other
11503 things, cryptography.</DD>
11504 <DT><A name="C">C</A></DT>
11505 <DT><A name="CA"><A name="C">CA</A></A></DT>
11506 <DD><B>C</B>ertification <B>A</B>uthority, an entity in a <A href="#PKI">
11507 public key infrastructure</A> that can certify keys by signing them.
11508 Usually CAs form a hierarchy. The top of this hierarchy is called the <A
11509 href="#rootCA">root CA</A>. </DD>
11510 <P>See <A href="#web">Web of Trust</A> for an alternate model.</P>
11511 <DT><A name="CAST128">CAST-128</A></DT>
11512 <DD>A <A href="#block">block cipher</A> using 64-bit blocks and 128-bit
11513 keys, described in RFC 2144 and used in products such as <A href="#Entrust">
11514 Entrust</A> and recent versions of <A href="#PGP">PGP</A>. </DD>
11515 <P>This is not required by the <A href="#IPSEC">IPSEC</A> RFCs and not
11516 currently used in <A href="#FreeSWAN">Linux FreeS/WAN</A>.</P>
11518 <DD><A href="#Entrust">Entrust</A>'s candidate cipher for the <A href="#AES">
11519 AES standard</A>, largely based on the <A href="#CAST128">CAST-128</A>
11521 <DT><A name="CBC">CBC mode</A></DT>
11522 <DD><B>C</B>ipher <B>B</B>lock <B>C</B>haining <A href="#mode">mode</A>
11523 , a method of using a <A href="#block">block cipher</A> in which for
11524 each block except the first, the result of the previous encryption is
11525 XORed into the new block before it is encrypted. CBC is the mode used
11526 in <A href="#IPSEC">IPSEC</A>. </DD>
11527 <P>An <A href="#IV">initialisation vector</A> (IV) must be provided.
11528 It is XORed into the first block before encryption. The IV need not be
11529 secret but should be different for each message and unpredictable.</P>
11530 <DT>Certification Authority</DT>
11531 <DD>see <A href="#CA">CA</A></DD>
11532 <DT><A name="mode">Cipher Modes</A></DT>
11533 <DD>Different ways of using a block cipher when encrypting multiple
11535 <P>Four standard modes were defined for <A href="#DES">DES</A> in <A href="#FIPS">
11536 FIPS</A> 81. They can actually be applied with any block cipher.</P>
11538 <TR><TD><TD><A href="#ECB">ECB</A></TD><TD>Electronic CodeBook</TD><TD>
11539 encrypt each block independently</TD></TR>
11540 <TR><TD><TD><A href="#CBC">CBC</A></TD><TD>Cipher Block Chaining
11541 <BR></TD><TD>XOR previous block ciphertext into new block plaintext
11542 before encrypting new block</TD></TR>
11543 <TR><TD><TD>CFB</TD><TD>Cipher FeedBack</TD><TD></TR>
11544 <TR><TD><TD>OFB</TD><TD>Output FeedBack</TD><TD></TR>
11546 <P><A href="#IPSEC">IPSEC</A> uses <A href="#CBC">CBC</A> mode since
11547 this is only marginally slower than <A href="#ECB">ECB</A> and is more
11548 secure. In ECB mode the same plaintext always encrypts to the same
11549 ciphertext, unless the key is changed. In CBC mode, this does not
11551 <P>Various other modes are also possible, but none of them are used in
11553 <DT><A name="challenge">Challenge-response authentication</A></DT>
11554 <DD>An <A href="#authentication">authentication</A> system in which one
11555 player generates a <A href="#random">random number</A>, encrypts it
11556 and sends the result as a challenge. The other player decrypts and
11557 sends back the result. If the result is correct, that proves to the
11558 first player that the second player knew the appropriate secret,
11559 required for the decryption. Variations on this technique exist using <A
11560 href="#public"> public key</A> or <A href="#symmetric">symmetric</A>
11561 cryptography. Some provide two-way authentication, assuring each
11562 player of the other's identity. </DD>
11563 <P>This is more secure than passwords against two simple attacks:</P>
11565 <LI>If cleartext passwords are sent across the wire (e.g. for telnet),
11566 an eavesdropper can grab them. The attacker may even be able to break
11567 into other systems if the user has chosen the same password for them.</LI>
11568 <LI>If an encrypted password is sent, an attacker can record the
11569 encrypted form and use it later. This is called a replay attack.</LI>
11571 <P>A challenge-response system never sends a password, either
11572 cleartext or encrypted. An attacker cannot record the response to one
11573 challenge and use it as a response to a later challenge. The random
11574 number is different each time.</P>
11575 <P>Of course an attacker might still try to break the cryptographic
11576 algorithm used, or the <A href="#random">random number</A> generator.</P>
11577 <DT><A name="ciphertext">Ciphertext</A></DT>
11578 <DD>The encrypted output of a cipher, as opposed to the unencrypted <A href="#plaintext">
11579 plaintext</A> input.</DD>
11580 <DT><A href="http://www.cisco.com">Cisco</A></DT>
11581 <DD>A vendor of routers, hubs and related products. Their IPSEC
11582 products interoperate with Linux FreeS/WAN; see our <A href="#Cisco">
11583 interop</A> section.</DD>
11584 <DT><A name="client">Client</A></DT>
11585 <DD>This term has at least two distinct uses in discussing IPSEC:
11587 <LI>The <STRONG>clients of an IPSEC gateway</STRONG> are the machines
11588 it protects, typically on one or more subnets behind the gateway. In
11589 this usage, all the machines on an office network are clients of that
11590 office's IPSEC gateway. Laptop or home machines connecting to the
11591 office, however, are <EM>not</EM> clients of that gateway. They are
11592 remote gateways, running the other end of an IPSEC connection. Each of
11593 them is also its own client.</LI>
11594 <LI><STRONG>IPSEC client software</STRONG> is used to describe
11595 software which runs on various standalone machines to let them
11596 connect to IPSEC networks. In this usage, a laptop or home machine
11597 connecting to the office <EM>is</EM> a client machine.</LI>
11600 <P>We generally use the term in the first sense. Vendors of Windows
11601 IPSEC solutions often use it in the second.</P>
11602 <DT>Conventional cryptography</DT>
11603 <DD>See <A href="#symmetric">symmetric cryptography</A></DD>
11604 <DT><A name="collision">Collision resistance</A></DT>
11605 <DD>The property of a <A href="#digest">message digest</A> algorithm
11606 which makes it hard for an attacker to find or construct two inputs
11607 which hash to the same output.</DD>
11609 <DD>see GNU <A href="#GPL">General Public License</A></DD>
11610 <DT><A name="CSE">CSE</A></DT>
11611 <DD><A href="http://www.cse-cst.gc.ca/cse/english/home_1.html">
11612 Communications Security Establishment</A>, the Canadian organisation
11613 for <A href="#SIGINT">signals intelligence</A>.</DD>
11614 <DT><A name="D">D</A></DT>
11615 <DT><A name="DARPA"><A name="D">DARPA (sometimes just ARPA)</A></A></DT>
11616 <DD>The US government's <B>D</B>efense <B>A</B>dvanced <B>R</B>esearch <B>
11617 P</B>rojects <B>A</B>gency. Projects they have funded over the years
11618 have included the Arpanet which evolved into the Internet, the TCP/IP
11619 protocol suite (as a replacement for the original Arpanet suite), the
11620 Berkeley 4.x BSD Unix projects, and <A href="#SDNS">Secure DNS</A>. </DD>
11621 <P>For current information, see their <A href="http://www.darpa.mil/ito">
11623 <DT><A name="DOS">Denial of service (DoS) attack</A></DT>
11624 <DD>An attack that aims at denying some service to legitimate users of
11625 a system, rather than providing a service to the attacker.
11627 <LI>One variant is a flooding attack, overwhelming the system with too
11628 many packets, to much email, or whatever.</LI>
11629 <LI>A closely related variant is a resource exhaustion attack. For
11630 example, consider a "TCP SYN flood" attack. Setting up a TCP
11631 connection involves a three-packet exchange:
11633 <LI>Initiator: Connection please (SYN)</LI>
11634 <LI>Responder: OK (ACK)</LI>
11635 <LI>Initiator: OK here too</LI>
11638 <P>If the attacker puts bogus source information in the first packet,
11639 such that the second is never delivered, the responder may wait a long
11640 time for the third to come back. If responder has already allocated
11641 memory for the connection data structures, and if many of these bogus
11642 packets arrive, the responder may run out of memory.</P>
11643 <LI>Another variant is to feed the system undigestible data, hoping to
11644 make it sick. For example, IP packets are limited in size to 64K bytes
11645 and a fragment carries information on where it starts within that 64K
11646 and how long it is. The "ping of death" delivers fragments that say,
11647 for example, that they start at 60K and are 20K long. Attempting to
11648 re-assemble these without checking for overflow can be fatal.</LI>
11651 <P>The two example attacks discussed were both quite effective when
11652 first discovered, capable of crashing or disabling many operating
11653 systems. They were also well-publicised, and today far fewer systems
11654 are vulnerable to them.</P>
11655 <DT><A name="DES">DES</A></DT>
11656 <DD>The <B>D</B>ata <B>E</B>ncryption <B>S</B>tandard, a <A href="#block">
11657 block cipher</A> with 64-bit blocks and a 56-bit key. Probably the
11658 most widely used <A href="#symmetric">symmetric cipher</A> ever
11659 devised. DES has been a US government standard for their own use (only
11660 for unclassified data), and for some regulated industries such as
11661 banking, since the late 70's. </DD>
11662 <P><A href="#desnotsecure">DES is seriously insecure against current
11664 <P><A href="#FreeSWAN">Linux FreeS/WAN</A> does not include DES, even
11665 though the RFCs specify it. <B>We strongly recommend that single DES
11666 not be used.</B></P>
11667 <P>See also <A href="#3DES">3DES</A> and <A href="#DESX">DESX</A>,
11668 stronger ciphers based on DES.</P>
11669 <DT><A name="DESX">DESX</A></DT>
11670 <DD>An improved <A href="#DES">DES</A> suggested by Ron Rivest of RSA
11671 Data Security. It XORs extra key material into the text before and
11672 after applying the DES cipher. </DD>
11673 <P>This is not required by the <A href="#IPSEC">IPSEC</A> RFCs and not
11674 currently used in <A href="#FreeSWAN">Linux FreeS/WAN</A>. DESX would
11675 be the easiest additional transform to add; there would be very little
11676 code to write. It would be much faster than 3DES and almost certainly
11677 more secure than DES. However, since it is not in the RFCs other IPSEC
11678 implementations cannot be expected to have it.</P>
11680 <DD>see <A href="#DH">Diffie-Hellman</A></DD>
11681 <DT><A name="DH">Diffie-Hellman (DH) key exchange protocol</A></DT>
11682 <DD>A protocol that allows two parties without any initial shared
11683 secret to create one in a manner immune to eavesdropping. Once they
11684 have done this, they can communicate privately by using that shared
11685 secret as a key for a block cipher or as the basis for key exchange. </DD>
11686 <P>The protocol is secure against all <A href="#passive">passive
11687 attacks</A>, but it is not at all resistant to active <A href="#middle">
11688 man-in-the-middle attacks</A>. If a third party can impersonate Bob to
11689 Alice and vice versa, then no useful secret can be created.
11690 Authentication of the participants is a prerequisite for safe
11691 Diffie-Hellman key exchange. IPSEC can use any of several <A href="#authentication">
11692 authentication</A> mechanisims. Those supported by FreeS/WAN are
11693 discussed in our <A href="#choose">configuration</A> section.</P>
11694 <P>The Diffie-Hellman key exchange is based on the <A href="#dlog">
11695 discrete logarithm</A> problem and is secure unless someone finds an
11696 efficient solution to that problem.</P>
11697 <P>Given a prime <VAR>p</VAR> and generator <VAR>g</VAR> (explained
11698 under <A href="#dlog">discrete log</A> below), Alice:</P>
11700 <LI>generates a random number <VAR>a</VAR></LI>
11701 <LI>calculates <VAR>A = g^a modulo p</VAR></LI>
11702 <LI>sends <VAR>A</VAR> to Bob</LI>
11704 <P>Meanwhile Bob:</P>
11706 <LI>generates a random number <VAR>b</VAR></LI>
11707 <LI>calculates <VAR>B = g^b modulo p</VAR></LI>
11708 <LI>sends <VAR>B</VAR> to Alice</LI>
11710 <P>Now Alice and Bob can both calculate the shared secret <VAR>s =
11711 g^(ab)</VAR>. Alice knows <VAR>a</VAR> and <VAR>B</VAR>, so she
11712 calculates <VAR>s = B^a</VAR>. Bob knows <VAR>A</VAR> and <VAR>b</VAR>
11713 so he calculates <VAR>s = A^b</VAR>.</P>
11714 <P>An eavesdropper will know <VAR>p</VAR> and <VAR>g</VAR> since these
11715 are made public, and can intercept <VAR>A</VAR> and <VAR>B</VAR> but,
11716 short of solving the <A href="#dlog">discrete log</A> problem, these
11717 do not let him or her discover the secret <VAR>s</VAR>.</P>
11718 <DT><A name="signature">Digital signature</A></DT>
11721 <LI>calculates a <A href="#digest">message digest</A> of a document</LI>
11722 <LI>encrypts the digest with his or her private key, using some <A href="#public">
11723 public key cryptosystem</A>.</LI>
11724 <LI>attaches the encrypted digest to the document as a signature</LI>
11729 <LI>calculates a digest of the document (not including the signature)</LI>
11730 <LI>decrypts the signature with the signer's public key</LI>
11731 <LI>verifies that the two results are identical</LI>
11733 <P>If the public-key system is secure and the verification succeeds,
11734 then the receiver knows</P>
11736 <LI>that the document was not altered between signing and verification</LI>
11737 <LI>that the signer had access to the private key</LI>
11739 <P>Such an encrypted message digest can be treated as a signature
11740 since it cannot be created without <EM>both</EM> the document <EM> and</EM>
11741 the private key which only the sender should possess. The <A href="#legal">
11742 legal issues</A> are complex, but several countries are moving in the
11743 direction of legal recognition for digital signatures.</P>
11744 <DT><A name="dlog">discrete logarithm problem</A></DT>
11745 <DD>The problem of finding logarithms in a finite field. Given a field
11746 defintion (such definitions always include some operation analogous to
11747 multiplication) and two numbers, a base and a target, find the power
11748 which the base must be raised to in order to yield the target. </DD>
11749 <P>The discrete log problem is the basis of several cryptographic
11750 systems, including the <A href="#DH">Diffie-Hellman</A> key exchange
11751 used in the <A href="#IKE">IKE</A> protocol. The useful property is
11752 that exponentiation is relatively easy but the inverse operation,
11753 finding the logarithm, is hard. The cryptosystems are designed so that
11754 the user does only easy operations (exponentiation in the field) but
11755 an attacker must solve the hard problem (discrete log) to crack the
11757 <P>There are several variants of the problem for different types of
11758 field. The IKE/Oakley key determination protocol uses two variants,
11759 either over a field modulo a prime or over a field defined by an
11760 elliptic curve. We give an example modulo a prime below. For the
11761 elliptic curve version, consult an advanced text such as <A href="#handbook">
11762 Handbook of Applied Cryptography</A>.</P>
11763 <P>Given a prime <VAR>p</VAR>, a generator <VAR>g</VAR> for the field
11764 modulo that prime, and a number <VAR>x</VAR> in the field, the problem
11765 is to find <VAR>y</VAR> such that <VAR>g^y = x</VAR>.</P>
11766 <P>For example, let p = 13. The field is then the integers from 0 to
11767 12. Any integer equals one of these modulo 13. That is, the remainder
11768 when any integer is divided by 13 must be one of these.</P>
11769 <P>2 is a generator for this field. That is, the powers of two modulo
11770 13 run through all the non-zero numbers in the field. Modulo 13 we
11777 2^4 == 3 that is, the remainder from 16/13 is 3
11778 2^5 == 6 the remainder from 32/13 is 6
11779 2^6 == 12 and so on
11786 <P> Exponentiation in such a field is not difficult. Given, say, <NOBR><VAR>
11787 y = 11</VAR>,</NOBR> calculating <NOBR><VAR>x = 7</VAR></NOBR> is
11788 straightforward. One method is just to calculate <NOBR><VAR>2^11 = 2048</VAR>
11789 ,</NOBR> then <NOBR><VAR>2048 mod 13 == 7</VAR>.</NOBR> When the field
11790 is modulo a large prime (say a few 100 digits) you need a silghtly
11791 cleverer method and even that is moderately expensive in computer time,
11792 but the calculation is still not problematic in any basic way.</P>
11793 <P> The discrete log problem is the reverse. In our example, given <NOBR>
11794 <VAR>x = 7</VAR>,</NOBR> find the logarithm <NOBR><VAR>y = 11</VAR>.</NOBR>
11795 When the field is modulo a large prime (or is based on a suitable
11796 elliptic curve), this is indeed problematic. No solution method that
11797 is not catastrophically expensive is known. Quite a few mathematicians
11798 have tackled this problem. No efficient method has been found and
11799 mathematicians do not expect that one will be. It seems likely no
11800 efficient solution to either of the main variants the discrete log
11801 problem exists.</P>
11802 <P>Note, however, that no-one has proven such methods do not exist. If
11803 a solution to either variant were found, the security of any crypto
11804 system using that variant would be destroyed. This is one reason <A href="#IKE">
11805 IKE</A> supports two variants. If one is broken, we can switch to the
11807 <DT><A name="DNS">DNS</A></DT>
11808 <DD><B>D</B>omain <B>N</B>ame <B>S</B>ervice, a distributed database
11809 through which names are associated with numeric addresses and other
11810 information in the Internet Protocol Suite. See also <A href="#BIND">
11811 BIND</A>, the Berkeley Internet Name Daemon which implements DNS
11812 services and <A href="#SDNS">Secure DNS</A>. See our bibliography for
11813 a <A href="#DNS.book">useful reference</A> on both.</DD>
11814 <DT>DOS attack</DT>
11815 <DD>see <A href="#DOS">Denial Of Service</A> attack</DD>
11816 <DT><A name="E">E</A></DT>
11817 <DT><A name="EAR"><A name="E2"></A><A name="E">EAR</A></DT>
11818 <DD>The US government's <B>E</B>xport <B>A</B>dministration <B> R</B>
11819 egulations, administered by the <A href="#BXA">Bureau of Export
11820 Administration</A>. These have replaced the earlier <A href="#ITAR">ITAR</A>
11821 regulations as the controls on export of cryptography.</DD>
11822 <DT><A name="ECB">ECB mode</A></DT>
11823 <DD><B>E</B>lectronic <B>C</B>ode<B>B</B>ook mode, the simplest way to
11824 use a block cipher. See <A href="#mode">Cipher Modes</A>.</DD>
11825 <DT><A name="EDE">EDE</A></DT>
11826 <DD>The sequence of operations normally used in either the three-key
11827 variant of <A href="#3DES">triple DES</A> used in <A href="#IPSEC">
11828 IPSEC</A> or the <A href="#2key">two-key</A> variant used in some
11829 other systems. </DD>
11830 <P>The sequence is:</P>
11832 <LI><B>E</B>ncrypt with key1</LI>
11833 <LI><B>D</B>ecrypt with key2</LI>
11834 <LI><B>E</B>ncrypt with key3</LI>
11836 <P>For the two-key version, key1=key3.</P>
11837 <P>The "advantage" of this EDE order of operations is that it makes it
11838 simple to interoperate with older devices offering only single DES.
11839 Set key1=key2=key3 and you have the worst of both worlds, the overhead
11840 of triple DES with the security of single DES. Since <A href="#desnotsecure">
11841 single DES is insecure</A>, this is an extremely dubious "advantage".</P>
11842 <P>The EDE two-key variant can also interoperate with the EDE
11843 three-key variant used in <A href="#IPSEC">IPSEC</A>; just set k1=k3.</P>
11844 <DT><A name="Entrust"><A href="http://www.entrust.com">Entrust</A></A></DT>
11845 <DD>A Canadian company offerring enterprise <A href="#PKI">PKI</A>
11846 products using <A href="#CAST128">CAST-128</A> symmetric crypto, <A href="#RSA">
11847 RSA</A> public key and <A href="#X509">X.509</A> directories.</DD>
11848 <DT><A name="EFF">EFF</A></DT>
11849 <DD><A href="http://www.eff.org">Electronic Frontier Foundation</A>, an
11850 advocacy group for civil rights in cyberspace.</DD>
11851 <DT><A name="encryption">Encryption</A></DT>
11852 <DD>Techniques for converting a readable message (<A href="#plaintext">
11853 plaintext</A>) into apparently random material (<A href="#ciphertext">
11854 ciphertext</A>) which cannot be read if intercepted. A key is required
11855 to read the message. </DD>
11856 <P>Major variants include <A href="#symmetric">symmetric</A> encryption
11857 in which sender and receiver use the same secret key and <A href="#public">
11858 public key</A> methods in which the sender uses one of a matched pair
11859 of keys and the receiver uses the other. Many current systems,
11860 including <A href="#IPSEC">IPSEC</A>, are <A href="#hybrid">hybrids</A>
11861 combining the two techniques.</P>
11862 <DT><A name="ESP">ESP</A></DT>
11863 <DD><B>E</B>ncapsulated <B>S</B>ecurity <B>P</B>ayload, the <A href="#IPSEC">
11864 IPSEC</A> protocol which provides <A href="#encryption">encryption</A>.
11865 It can also provide <A href="#authentication">authentication</A>
11866 service and may be used with null encryption (which we do not
11867 recommend). For details see our <A href="#ESP">IPSEC Overview</A>
11868 document and/or RFC 2406.</DD>
11869 <DT><A name="extruded">Extruded subnet</A></DT>
11870 <DD>A situation in which something IP sees as one network is actually
11871 in two or more places. </DD>
11872 <P>For example, the Internet may route all traffic for a particular
11873 company to that firm's corporate gateway. It then becomes the
11874 company's problem to get packets to various machines on their <A href="#subnet">
11875 subnets</A> in various departments. They may decide to treat a branch
11876 office like a subnet, giving it IP addresses "on" their corporate net.
11877 This becomes an extruded subnet.</P>
11878 <P>Packets bound for it are delivered to the corporate gateway, since
11879 as far as the outside world is concerned, that subnet is part of the
11880 corporate network. However, instead of going onto the corporate LAN
11881 (as they would for, say, the accounting department) they are then
11882 encapsulated and sent back onto the Internet for delivery to the
11884 <P>For information on doing this with Linux FreeS/WAN, look in our <A href="#extruded">
11885 Configuration</A> file.</P>
11886 <DT>Exhaustive search</DT>
11887 <DD>See <A href="#brute">brute force attack</A>.</DD>
11888 <DT><A name="F">F</A></DT>
11889 <DT><A name="FIPS"><A name="F">FIPS</A></A></DT>
11890 <DD><B>F</B>ederal <B>I</B>nformation <B>P</B>rocessing <B>S</B>
11891 tandard, the US government's standards for products it buys. These are
11892 issued by <A href="#NIST">NIST</A>. Among other things, <A href="#DES">
11893 DES</A> and <A href="#SHA">SHA</A> are defined in FIPS documents. NIST
11894 have a <A href="http://www.itl.nist.gov/div897/pubs">FIPS home page</A>.</DD>
11895 <DT><A name="FSF">Free Software Foundation (FSF)</A></DT>
11896 <DD>An organisation to promote free software, free in the sense of
11897 these quotes from their web pages</DD>
11898 <DD><BLOCKQUOTE> "Free software" is a matter of liberty, not price. To
11899 understand the concept, you should think of "free speech", not "free
11901 <P>"Free software" refers to the users' freedom to run, copy,
11902 distribute, study, change and improve the software.</P>
11904 <P>See also <A href="#GNU">GNU</A>, <A href="#GPL">GNU General Public
11905 License</A>, and <A href="http://www.fsf.org">the FSF site</A>.</P>
11907 <DD>see <A href="#FreeSWAN">Linux FreeS/WAN</A></DD>
11909 <DD>see <A href="#FSF">Free software Foundation</A></DD>
11910 <DT><A name="G">G</A></DT>
11911 <DT><A name="GCHQ"><A name="G">GCHQ</A></A></DT>
11912 <DD><A href="http://www.gchq.gov.uk">Government Communications
11913 Headquarters</A>, the British organisation for <A href="#SIGINT">
11914 signals intelligence</A>.</DD>
11915 <DT>generator of a prime field</DT>
11916 <DD>see <A href="#dlog">discrete logarithm problem</A></DD>
11917 <DT><A name="GILC">GILC</A></DT>
11918 <DD><A href="http://www.gilc.org">Global Internet Liberty Campaign</A>,
11919 an international organisation advocating, among other things, free
11920 availability of cryptography. They have a <A href="http://www.gilc.org/crypto/wassenaar">
11921 campaign</A> to remove cryptographic software from the <A href="#Wassenaar">
11922 Wassenaar Arrangement</A>.</DD>
11923 <DT>Global Internet Liberty Campaign</DT>
11924 <DD>see <A href="#GILC">GILC</A>.</DD>
11925 <DT><A name="GTR"><A href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
11926 Global Trust Register</A></A></DT>
11927 <DD>An attempt to create something like a <A href="#rootCA">root CA</A>
11928 for <A href="#PGP">PGP</A> by publishing both <A href="#GTR">as a book</A>
11929 and <A href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
11930 on the web</A> the fingerprints of a set of verified keys for
11931 well-known users and organisations.</DD>
11933 <DD>The <B>G</B>NU <B>M</B>ulti-<B>P</B>recision library code, used in <A
11934 href="#FreeSWAN"> Linux FreeS/WAN</A> by <A href="#Pluto">Pluto</A> for <A
11935 href="#public">public key</A> calculations.</DD>
11936 <DT><A name="GNU">GNU</A></DT>
11937 <DD><B>G</B>NU's <B>N</B>ot <B>U</B>nix, the <A href="#FSF">Free
11938 Software Foundation's</A> project aimed at creating a free system with
11939 at least the capabilities of Unix. <A href="#Linux">Linux</A> uses GNU
11940 utilities extensively.</DD>
11942 <DD>see <A href="#GPG">GNU Privacy Guard</A></DD>
11943 <DT><A name="GPL">GNU <A href="http://www.fsf.org/copyleft/gpl.html">
11944 General Public License</A>(GPL, copyleft)</A></DT>
11945 <DD>The license developed by the <A href="#FSF">Free Software
11946 Foundation</A> under which <A href="#Linux">Linux</A>, <A href="#FreeSWAN">
11947 Linux FreeS/WAN</A> and many other pieces of software are distributed.
11948 The license allows anyone to redistribute and modify the code, but
11949 forbids anyone from distributing executables without providing access
11950 to source code. For more details see the file <A href="../COPYING">
11951 COPYING</A> included with GPLed source distributions, including ours,
11952 or <A href="http://www.fsf.org/copyleft/gpl.html"> the GNU site's GPL
11954 <DT><A name="GPG"><A href="http://www.gnupg.org">GNU Privacy Guard</A></A>
11956 <DD>An open source implementation of Open <A href="#PGP">PGP</A> as
11957 defined in RFC 2440.</DD>
11959 <DD>see <A href="#GPL">GNU General Public License</A>.</DD>
11960 <DT><A name="H">H</A></DT>
11961 <DT><A name="hash">Hash</A></DT>
11962 <DD>see <A href="#digest">message digest</A></DD>
11963 <DT><A name="HMAC">Hashed Message Authentication Code (HMAC)</A></DT>
11964 <DD>using keyed <A href="#digest">message digest</A> functions to
11965 authenticate a message. This differs from other uses of these
11968 <LI>In normal usage, the hash function's internal variable are
11969 initialised in some standard way. Anyone can reproduce the hash to
11970 check that the message has not been altered.</LI>
11971 <LI>For HMAC usage, you initialise the internal variables from the
11972 key. Only someone with the key can reproduce the hash. A successful
11973 check of the hash indicates not only that the message is unchanged but
11974 also that the creator knew the key.</LI>
11977 <P>The exact techniques used in <A href="#IPSEC">IPSEC</A> are defined
11978 in RFC 2104. They are referred to as HMAC-MD5-96 and HMAC-SHA-96
11979 because they output only 96 bits of the hash. This makes some attacks
11980 on the hash functions harder.</P>
11982 <DD>see <A href="#HMAC">Hashed Message Authentication Code</A></DD>
11983 <DT>HMAC-MD5-96</DT>
11984 <DD>see <A href="#HMAC">Hashed Message Authentication Code</A></DD>
11985 <DT>HMAC-SHA-96</DT>
11986 <DD>see <A href="#HMAC">Hashed Message Authentication Code</A></DD>
11987 <DT><A name="hybrid">Hybrid cryptosystem</A></DT>
11988 <DD>A system using both <A href="#public">public key</A> and <A href="#symmetric">
11989 symmetric cipher</A> techniques. This works well. Public key methods
11990 provide key management and <A href="#signature">digital signature</A>
11991 facilities which are not readily available using symmetric ciphers.
11992 The symmetric cipher, however, can do the bulk of the encryption work
11993 much more efficiently than public key methods.</DD>
11994 <DT><A name="I">I</A></DT>
11995 <DT><A name="IAB">IAB</A></DT>
11996 <DD><A href="http://www.iab.org/iab">Internet Architecture Board</A>.</DD>
11997 <DT><A name="icmp">ICMP</A></DT>
11998 <DD><STRONG>I</STRONG>nternet <STRONG>C</STRONG>ontrol <STRONG> M</STRONG>
11999 essage <STRONG>P</STRONG>rotocol. This is used for various
12000 IP-connected devices to manage the network.</DD>
12001 <DT><A name="IDEA">IDEA</A></DT>
12002 <DD><B>I</B>nternational <B>D</B>ata <B>E</B>ncrypion <B>A</B>lgorithm,
12003 developed in Europe as an alternative to exportable American ciphers
12004 such as <A href="#DES">DES</A> which were <A href="#desnotsecure">too
12005 weak for serious use</A>. IDEA is a <A href="#block">block cipher</A>
12006 using 64-bit blocks and 128-bit keys, and is used in products such as <A
12007 href="#PGP"> PGP</A>. </DD>
12008 <P>IDEA is not required by the <A href="#IPSEC">IPSEC</A> RFCs and not
12009 currently used in <A href="#FreeSWAN">Linux FreeS/WAN</A>.</P>
12010 <P>IDEA is patented and, with strictly limited exceptions for personal
12011 use, using it requires a license from <A href="http://www.ascom.com">
12013 <DT><A name="IESG">IESG</A></DT>
12014 <DD><A href="http://www.ietf.org">Internet Engineering Steering Group</A>
12016 <DT><A name="IETF">IETF</A></DT>
12017 <DD><A href="http://www.ietf.org">Internet Engineering Task Force</A>,
12018 the umbrella organisation whose various working groups make most of
12019 the technical decisions for the Internet. The IETF <A href="http://www.ietf.org/html.charters/ipsec-charter.html">
12020 IPSEC working group</A> wrote the <A href="#RFC">RFCs</A> we are
12022 <DT><A name="IKE">IKE</A></DT>
12023 <DD><B>I</B>nternet <B>K</B>ey <B>E</B>xchange, based on the <A href="#DH">
12024 Diffie-Hellman</A> key exchange protocol. IKE is implemented in <A href="#FreeSWAN">
12025 Linux FreeS/WAN</A> by the <A href="#Pluto">Pluto daemon</A>.</DD>
12026 <DT><A name="IV">Initialisation Vector (IV)</A></DT>
12027 <DD>Some cipher <A href="#mode">modes</A>, including the <A href="#CBC">
12028 CBC</A> mode which IPSEC uses, require some extra data at the
12029 beginning. This data is called the initialisation vector. It need not
12030 be secret, but should be different for each message. Its function is
12031 to prevent messages which begin with the same text from encrypting to
12032 the same ciphertext. That might give an analyst an opening, so it is
12033 best prevented.</DD>
12034 <DT><A name="IP">IP</A></DT>
12035 <DD><B>I</B>nternet <B>P</B>rotocol.</DD>
12036 <DT><A name="masq">IP masquerade</A></DT>
12037 <DD>A method of allowing multiple machines to communicate over the
12038 Internet when only one IP address is available for their use. See the
12039 Linux masquerade <A href="http://www.tor.shaw.wave.ca/~ambrose">
12040 resource page</A> for details. </DD>
12041 <P>The client machines are set up with reserved <A href="non-routable">
12042 non-routable</A> IP addresses defined in RFC 1918. The masquerading
12043 gateway, the machine with the actual link to the Internet, rewrites
12044 packet headers so that all packets going onto the Internet appear to
12045 come from one IP address, that of its Internet interface. It then gets
12046 all the replies, does some table lookups and more header rewriting,
12047 and delivers the replies to the appropriate client machines.</P>
12048 <P> For information on using masquerade with Linux FreeS/WAN, see our <A href="#NAT">
12049 firewall document</A> and the <A href="#masq.faq">FAQ</A> and.</P>
12050 <DT><A name="IPng">IPng</A></DT>
12051 <DD>"IP the Next Generation", see <A href="#ipv6.gloss">IPv6</A>.</DD>
12052 <DT><A name="IPv4">IPv4</A></DT>
12053 <DD>The current version of the <A href="#IP">Internet protocol suite</A>
12055 <DT><A name="ipv6.gloss">IPv6 (IPng)</A></DT>
12056 <DD>Version six of the <A href="#IP">Internet protocol suite</A>,
12057 currently being developed. It will replace the current <A href="#IPv4">
12058 version four</A>. IPv6 has <A href="#IPSEC">IPSEC</A> as a mandatory
12060 <P>See this <A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">
12061 web site</A> for more details, and our <A href="#ipv6">compatibility</A>
12062 document for information on FreeS/WAN and the Linux implementation of
12064 <DT><A name="IPSEC">IPSEC</A></DT>
12065 <DD><B>I</B>nternet <B>P</B>rotocol <B>SEC</B>urity, security functions
12066 (<A href="#authentication">authentication</A> and <A href="#encryption">
12067 encryption</A>) implemented at the IP level of the protocol stack. It
12068 is optional for <A href="#IPv4">IPv4</A> and mandatory for <A href="#ipv6.gloss">
12070 <P>This is the standard <A href="#FreeSWAN">Linux FreeS/WAN</A> is
12071 implementing. For more details, see our <A href="#overview">IPSEC
12072 Overview</A>. For the standards, see RFCs listed in our <A href="#RFC">
12073 RFCs document</A>.</P>
12074 <DT><A name="ISAKMP">ISAKMP</A></DT>
12075 <DD><B>I</B>nternet <B>S</B>ecurity <B>A</B>ssociation and <B>K</B>ey <B>
12076 M</B>anagement <B>P</B>rotocol, defined in RFC 2408.</DD>
12077 <DT><A name="ITAR">ITAR</A></DT>
12078 <DD><B>I</B>nternational <B>T</B>raffic in <B>A</B>rms <B> R</B>
12079 egulations, US regulations administered by the State Department which
12080 until recently limited export of, among other things, cryptographic
12081 technology and software. ITAR still exists, but the limits on
12082 cryptography have now been transferred to the <A href="#EAR">Export
12083 Administration Regulations</A> under the Commerce Department's <A href="#BXA">
12084 Bureau of Export Administration</A>.</DD>
12086 <DD>see <A href="#IV">Initialisation vector</A></DD>
12087 <DT><A name="J">J</A></DT>
12088 <DT><A name="K">K</A></DT>
12089 <DT><A name="kernel">Kernel</A></DT>
12090 <DD>The basic part of an operating system (e.g. Linux) which controls
12091 the hardware and provides services to all other programs. </DD>
12092 <P>In the Linux release numbering system, an even second digit as in 2.<STRONG>
12093 2</STRONG>.x indicates a stable or production kernel while an odd
12094 number as in 2.<STRONG>3</STRONG>.x indicates an experimental or
12095 development kernel. Most users should run a recent kernel version from
12096 the production series. The development kernels are primarily for
12097 people doing kernel development. Others should consider using
12098 development kernels only if they have an urgent need for some feature
12099 not yet available in production kernels.</P>
12100 <DT>Keyed message digest</DT>
12101 <DD>See <A href="#HMAC">HMAC</A>.</DD>
12102 <DT>Key length</DT>
12103 <DD>see <A href="#brute">brute force attack</A></DD>
12104 <DT><A name="KLIPS">KLIPS</A></DT>
12105 <DD><B>K</B>erne<B>l</B><B> IP</B><B> S</B>ecurity, the <A href="#FreeSWAN">
12106 Linux FreeS/WAN</A> project's changes to the <A href="#Linux">Linux</A>
12107 kernel to support the <A href="#IPSEC">IPSEC</A> protocols.</DD>
12108 <DT><A name="L">L</A></DT>
12109 <DT><A name="LDAP">LDAP</A></DT>
12110 <DD><B>L</B>ightweight <B>D</B>irectory <B>A</B>ccess <B>P</B>rotocol,
12111 defined in RFCs 1777 and 1778, a method of accessing information
12112 stored in directories. LDAP is used by several <A href="#PKI">PKI</A>
12113 implementations, often with X.501 directories and <A href="#X509">X.509</A>
12114 certificates. It may also be used by <A href="#IPSEC">IPSEC</A> to
12115 obtain key certifications from those PKIs. This is not yet implemented
12116 in <A href="#FreeSWAN">Linux FreeS/WAN</A>.</DD>
12117 <DT><A name="LIBDES">LIBDES</A></DT>
12118 <DD>A publicly available library of <A href="#DES">DES</A> code,
12119 written by Eric Young, which <A href="#FreeSWAN">Linux FreeS/WAN</A>
12120 uses in both <A href="#KLIPS">KLIPS</A> and <A href="#Pluto">Pluto</A>
12122 <DT><A name="Linux">Linux</A></DT>
12123 <DD>A freely available Unix-like operating system based on a kernel
12124 originally written for the Intel 386 architecture by (then) student
12125 Linus Torvalds. Once his 32-bit kernel was available, the <A href="#GNU">
12126 GNU</A> utilities made it a usable system and contributions from many
12127 others led to explosive growth. </DD>
12128 <P>Today Linux is a complete Unix replacement available for several
12129 CPU architectures -- Intel, DEC/Compaq Alpha, Power PC, both 32-bit
12130 SPARC and the 64-bit UltraSPARC, SrongARM, . . . -- with support for
12131 multiple CPUs on some architectures.</P>
12132 <P><A href="#FreeSWAN">Linux FreeS/WAN</A> is intended to run on all
12133 CPUs supported by Linux and is known to work on several. See our <A href="#CPUs">
12134 compatibility</A> section for a list.</P>
12135 <DT><A name="FreeSWAN">Linux FreeS/WAN</A></DT>
12136 <DD>Our implementation of the <A href="#IPSEC">IPSEC</A> protocols,
12137 intended to be freely redistributable source code with <A href="#GPL">
12138 a GNU GPL license</A> and no constraints under US or other <A href="#exlaw">
12139 export laws</A>. Linux FreeS/WAN is intended to interoperate with
12140 other <A href="#IPSEC">IPSEC</A> implementations. The name is partly
12141 taken, with permission, from the <A href="#SWAN">S/WAN</A> multi-vendor
12142 IPSEC compatability effort. Linux FreeS/WAN has two major components, <A
12143 href="#KLIPS">KLIPS</A> (KerneL IPSEC Support) and the <A href="#Pluto">
12144 Pluto</A> daemon which manages the whole thing. </DD>
12145 <P>See our <A href="#overview">IPSEC Overview</A> for more detail. For
12146 the code see our <A href="http://freeswan.org"> primary distribution
12147 site</A> or one of the mirror sites on <A href="intro.html#mirrors">
12149 <DT><A name="M">M</A></DT>
12150 <DT><A name="list">Mailing list</A></DT>
12151 <DD>The <A href="#FreeSWAN">Linux FreeS/WAN</A> project has several
12152 public email lists for bug reports and software development
12153 discussions. See our document on <A href="mail.html">mailing lists</A>.</DD>
12154 <DT><A name="middle">Man-in-the-middle attack</A></DT>
12155 <DD>An <A href="#active">active attack</A> in which the attacker
12156 impersonates each of the legitimate players in a protocol to the
12158 <P>For example, if <A href="#alicebob">Alice and Bob</A> are
12159 negotiating a key via the <A href="#DH">Diffie-Hellman</A> key
12160 agreement, and are not using <A href="#authentication">authentication</A>
12161 to be certain they are talking to each other, then an attacker able
12162 to insert himself in the communication path can deceive both players.</P>
12163 <P>Call the attacker Mallory. For Bob, he pretends to be Alice. For
12164 Alice, he pretends to be Bob. Two keys are then negotiated,
12165 Alice-to-Mallory and Bob-to-Mallory. Alice and Bob each think the key
12166 they have is Alice-to-Bob.</P>
12167 <P>A message from Alice to Bob then goes to Mallory who decrypts it,
12168 reads it and/or saves a copy, re-encrypts using the Bob-to-Mallory key
12169 and sends it along to Bob. Bob decrypts successfully and sends a reply
12170 which Mallory decrypts, reads, re-encrypts and forwards to Alice.</P>
12171 <P>To make this attack effective, Mallory must</P>
12173 <LI>subvert some part of the network in some way that lets him carry
12175 <BR> possible targets: DNS, router, Alice or Bob's machine, mail
12177 <LI>beat any authentication mechanism Alice and Bob use
12178 <BR> strong authentication defeats the attack entirely; this is why <A href="#IKE">
12179 IKE</A> requires authentication</LI>
12180 <LI>work in real time, delivering messages without introducing a delay
12181 large enough to alert the victims
12182 <BR> not hard if Alice and Bob are using email; quite difficult in some
12185 <P>If he manages it, however, it is devastating. He not only gets to
12186 read all the messages; he can alter messages, inject his own, forge
12187 anything he likes, . . . In fact, he controls the communication
12189 <DT><A name="manual">Manual keying</A></DT>
12190 <DD>An IPSEC mode in which the keys are provided by the administrator.
12191 In FreeS/WAN, they are stored in /etc/ipsec.conf. The alternative, <A href="#auto">
12192 automatic keying</A>, is preferred in most cases.</DD>
12193 <DT><A name="MD4">MD4</A></DT>
12194 <DD><A href="#digest">Message Digest Algorithm</A> Four from Ron Rivest
12195 of <A href="#RSAco">RSA</A>. MD4 was widely used a few years ago, but
12196 is now considered obsolete. It has been replaced by its descendants <A href="#MD5">
12197 MD5</A> and <A href="#SHA">SHA</A>.</DD>
12198 <DT><A name="MD5">MD5</A></DT>
12199 <DD><A href="#digest">Message Digest Algorithm</A> Five from Ron Rivest
12200 of <A href="#RSAco">RSA</A>, an improved variant of his <A href="#MD4">
12201 MD4</A>. Like MD4, it produces a 128-bit hash. For details see RFC
12203 <P>MD5 is one of two message digest algorithms available in IPSEC. The
12204 other is <A href="#SHA">SHA</A>. SHA produces a longer hash and is
12205 therefore more resistant to <A href="#birthday">birthday attacks</A>,
12206 but this is not a concern for IPSEC. The <A href="#HMAC">HMAC</A>
12207 method used in IPSEC is secure even if the underlying hash is not
12208 particularly strong against this attack.</P>
12209 <DT><A name="meet">Meet-in-the-middle attack</A></DT>
12210 <DD>A divide-and-conquer attack which breaks a cipher into two parts,
12211 works against each separately, and compares results. Probably the best
12212 known example is an attack on double DES. This applies in principle to
12213 any pair of block ciphers, e.g. to an encryption system using, say,
12214 CAST-128 and Blowfish, but we will describe it for double DES. </DD>
12215 <P>Double DES encryption and decryption can be written:</P>
12216 <PRE> C = E(k2,E(k1,P))
12217 P = D(k1,D(k2,C))</PRE>
12218 <P>Where C is ciphertext, P is plaintext, E is encryption, D is
12219 decryption, k1 is one key, and k2 is the other key. If we know a P, C
12220 pair, we can try and find the keys with a brute force attack, trying
12221 all possible k1, k2 pairs. Since each key is 56 bits, there are 2<SUP>
12222 112</SUP> such pairs and this attack is painfully inefficient.</P>
12223 <P>The meet-in-the middle attack re-writes the equations to calculate
12224 a middle value M:</P>
12227 <P>Now we can try some large number of D(k2,C) decryptions with
12228 various values of k2 and store the results in a table. Then start
12229 doing E(k1,P) encryptions, checking each result to see if it is in the
12231 <P>With enough table space, this breaks double DES with 2<SUP>57</SUP>
12232 work. The memory requirements of such attacks can be prohibitive, but
12233 there is a whole body of research literature on methods of reducing
12235 <DT><A name="digest">Message Digest Algorithm</A></DT>
12236 <DD>An algorithm which takes a message as input and produces a hash or
12237 digest of it, a fixed-length set of bits which depend on the message
12238 contents in some highly complex manner. Design criteria include making
12239 it extremely difficult for anyone to counterfeit a digest or to change
12240 a message without altering its digest. One essential property is <A href="#collision">
12241 collision resistance</A>. The main applications are in message <A href="#authentication">
12242 authentication</A> and <A href="#signature">digital signature</A>
12243 schemes. Widely used algorithms include <A href="#MD5">MD5</A> and <A href="#SHA">
12244 SHA</A>. In IPSEC, message digests are used for <A href="#HMAC">HMAC</A>
12245 authentication of packets.</DD>
12246 <DT><A name="MTU">MTU</A></DT>
12247 <DD><STRONG>M</STRONG>aximum <STRONG>T</STRONG>ransmission <STRONG> U</STRONG>
12248 nit, the largest size of packet that can be sent over a link. This is
12249 determined by the underlying network, but must be taken account of at
12250 the IP level. </DD>
12251 <P>IP packets, which can be up to 64K bytes each, must be packaged
12252 into lower-level packets of the appropriate size for the underlying
12253 network(s) and re-assembled on the other end. When a packet must pass
12254 over multiple networks, each with its own MTU, and many of the MTUs
12255 are unknown to the sender, this becomes a fairly complex problem. See <A
12256 href="#pathMTU"> path MTU discovery</A> for details.</P>
12257 <P>Often the MTU is a few hundred bytes on serial links and 1500 on
12258 Ethernet. There are, however, serial link protocols which use a larger
12259 MTU to avoid fragmentation at the ethernet/serial boundary, and newer
12260 (especially gigabit) Ethernet networks sometimes support much larger
12261 packets because these are more efficient in some applications.</P>
12262 <DT><A name="N">N</A></DT>
12263 <DT><A name="NAI">NAI</A></DT>
12264 <DD><A href="http://www.nai.com">Network Associates</A>, a conglomerate
12265 formed from <A href="#PGPI">PGP Inc.</A>, <A href="#">TIS</A>,
12266 Macaffee Anti-virus products and several others. Among other things,
12267 they offer an IPSEC-based <A href="http://www.nai.com/products/security/prodserv/gauntlet/vpn/index.asp">
12269 <DT><A name="NAT.gloss">NAT</A></DT>
12270 <DD><B>N</B>etwork <B>A</B>ddress <B>T</B>ranslation.</DD>
12271 <DT><A name="NIST">NIST</A></DT>
12272 <DD>The US <A href="http://www.nist.gov"> National Institute of
12273 Standards and Technology</A>, responsible for <A href="#FIPS">FIPS
12274 standards</A> including <A href="#DES">DES</A> and its replacement, <A href="#AES">
12276 <DT><A name="nonce">Nonce</A></DT>
12277 <DD>A <A href="#random">random</A> value used in an <A href="#authentication">
12278 authentication</A> protocol.</DD>
12280 <DT><A name="non-routable">Non-routable IP address</A></DT>
12281 <DD>An IP address not normally allowed in the "to" or "from" IP address
12282 field header of IP packets. </DD>
12283 <P>Almost invariably, the phrase "non-routable address" means one of
12284 the addresses reserved by RFC 1918 for private networks:</P>
12286 <LI>10.anything</LI>
12287 <LI>172.x.anything with 16 <= x <= 31</LI>
12288 <LI>192.168.anything</LI>
12290 <P>These addresses are commonly used on private networks, e.g. behind
12291 a Linux machines doing <A href="#masq">IP masquerade</A>. Machines
12292 within the private network can address each other with these
12293 addresses. All packets going outside that network, however, have these
12294 addresses replaced before they reach the Internet.</P>
12295 <P>If any packets using these addresses do leak out, they do not go
12296 far. Most routers automatically discard all such packets.</P>
12297 <P>Various other addresses -- the 127.0.0.0/8 block reserved for local
12298 use, 0.0.0.0, various broadcast and network addresses -- cannot be
12299 routed over the Internet, but are not normally included in the meaning
12300 when the phrase "non-routable address" is used.</P>
12301 <DT><A name="NSA">NSA</A></DT>
12302 <DD>The US <A href="http://www.nsa.gov"> National Security Agency</A>,
12303 the American organisation for <A href="#SIGINT">signals intelligence</A>
12304 , the protection of US government messages and the interception and
12305 analysis of other messages. For details, see Bamford's <A href="#puzzle">
12306 "The Puzzle Palace"</A>. </DD>
12307 <P>Some <A href="http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/index.html">
12308 history of NSA</A> documents were declassified in response to a FOIA
12309 (Freedom of Information Act) request.</P>
12310 <DT><A name="O">O</A></DT>
12311 <DT><A name="oakley">Oakley</A></DT>
12312 <DD>A key determination protocol, defined in RFC 2412.</DD>
12313 <DT>Oakley groups</DT>
12314 <DD>The groups used as the basis of <A href="#DH">Diffie-Hellman</A>
12315 key exchange in the Oakley protocol, and in <A href="#IKE">IKE</A>.
12316 Four were defined in the original RFC, and a fifth has been <A href="http://www.lounge.org/ike_doi_errata.html">
12317 added since</A>. </DD>
12318 <P>Linux FreeS/WAN currently supports the three groups based on finite
12319 fields modulo a prime (Groups 1, 2 and 5) and does not support the
12320 elliptic curve groups (3 and 4). For a description of the difference
12321 of the types, see <A href="#dlog">discrete logarithms</A>.</P>
12322 <DT><A name="OTP">One time pad</A></DT>
12323 <DD>A cipher in which the key is:
12325 <LI>as long as the total set of messages to be enciphered</LI>
12326 <LI>absolutely <A href="#random">random</A></LI>
12327 <LI>never re-used</LI>
12330 <P>Given those three conditions, it can easily be proved that the
12331 cipher is perfectly secure, in the sense that an attacker with
12332 intercepted message in hand has no better chance of guessing the
12333 message than an attacker who has nt interecepted the message and only
12334 knows the message length. No such proof exists for any other cipher.</P>
12335 <P>There are, however, several problems with this "perfect" cipher.</P>
12337 <LI>It is wildly impractical for many applications. Key management is
12338 difficult or impossible.</LI>
12339 <LI>It is <EM>extremely</EM> fragile. Small changes which violate the
12340 conditions listed above do not just weaken the cipher a bit; quite
12341 often they destroy its security completely.
12343 <LI>Re-using the pad weakens it to the point where it can be broken
12344 with pencil and paper. With a computer, the attack is trivially easy.</LI>
12345 <LI>Using computer-generated pseudo-random numbers instead of a really <A
12346 href="#random">random</A> pad completely invalidates the security
12347 proof. Depending on random number generator used, this may also give
12348 an extremely weak cipher.</LI>
12351 <LI>If an attacker knows the plaintext and has an intercepted message,
12352 he can discover the pad. This does not matter if the attacker is just
12353 a <A href="#passive">passive</A> eavesdropper. It gives him no
12354 plaintext he didn't already know and we don't care that he learns a
12355 pad which we'll never re-use. However, knowing the pad lets an <A href="#active">
12356 active</A> attacker perform a <A href="#middle">man-in-the-middle</A>
12357 attack, replacing your message with whatever he chooses.</LI>
12359 <P>Marketing claims about the "unbreakable" security of various
12360 products which somewhat resemble one-time pads are common. Such claims
12361 are one of the surest signs of cryptographic <A href="#snake">snake
12362 oil</A>. Systems marketed with such claims are usually completely
12364 <P>See also the <A href="http://www.clark.net/pub/mjr/pubs/otpfaq/">one
12365 time pad FAQ</A>.</P>
12366 <DT><A name="carpediem">Opportunistic encryption</A></DT>
12367 <DD>A situation in which any two IPSEC-aware machines can secure their
12368 communications, without a pre-shared secret and without a common <A href="#PKI">
12369 PKI</A> or previous exchange of public keys. This is one of the goals
12370 of the Linux FreeS/WAN project, discussed in our <A href="#goals">
12371 introduction</A> section. </DD>
12372 <P> Setting up for opportunistic encryption is described in our <A href="#oppex">
12373 configuration</A> document.</P>
12374 <DT><A name="P">P</A></DT>
12375 <DT><A name="P1363"><A href="http://grouper.ieee.org/groups/1363">P1363
12376 standard</A></A></DT>
12377 <DD>An <A href="#IEEE">IEEE</A> standard for public key cryptography.</DD>
12378 <DT><A name="passive">Passive attack</A></DT>
12379 <DD>An attack in which the attacker only eavesdrops and attempts to
12380 analyse intercepted messages, as opposed to an <A href="#active">
12381 active attack</A> in which he diverts messages or generates his own.</DD>
12382 <DT><A name="pathMTU">Path <A href="#MTU">MTU</A></A> discovery</DT>
12383 <DD>The process of discovering the largest packet size which all links
12384 on a path can handle without fragmentation -- that is, without any
12385 router having to break the packet up into smaller pieces to match the <A
12386 href="#MTU"> MTU</A> of its outgoing link. </DD>
12387 <P>This is done as follows:</P>
12389 <LI>originator sends the largest packets allowed by <A href="#MTU">MTU</A>
12390 of the first link, setting the DF (<STRONG>d</STRONG>on't <STRONG>f</STRONG>
12391 ragment) bit in the packet header</LI>
12392 <LI>any router which cannot send the packet on (outgoing MTU is too
12393 small for it, and DF prevents fragmenting it to match) sends back an <A
12394 href="#ICMP">ICMP</A> packet reporting the problem</LI>
12395 <LI>originator looks at ICMP message and tries a smaller size</LI>
12396 <LI>eventually, you settle on a size that can pass all routers</LI>
12397 <LI>thereafter, originator just sends that size and no-one has to
12400 <P>Since this requires co-operation of many systems, and since the
12401 next packet may travel a different path, this is one of the trickier
12402 areas of IP programming. Bugs that have shown up over the years have
12405 <LI>malformed ICMP messages</LI>
12406 <LI>hosts that ignore or mishandle these ICMP messages</LI>
12407 <LI>firewalls blocking the ICMP messages so host does not see them</LI>
12409 <P>Since IPSEC adds a header, it increases packet size and may require
12410 fragmentation even where incoming and outgoing MTU are equal.</P>
12411 <DT><A name="PFS">Perfect forward secrecy (PFS)</A></DT>
12412 <DD>A property of systems such as <A href="#DH">Diffie-Hellman</A> key
12413 exchange which use a long-term key (such as the shared secret in IKE)
12414 and generate short-term keys as required. If an attacker who acquires
12415 the long-term key <EM>provably</EM> can
12417 <LI><EM>neither</EM> read previous messages which he may have archived</LI>
12418 <LI><EM>nor</EM> read future messages without performing additional
12419 successful attacks</LI>
12422 <P>then the system has PFS. The attacker needs the short-term keys in
12423 order to read the trafiic and merely having the long-term key does not
12424 allow him to infer those. Of course, it may allow him to conduct
12425 another attack (such as <A href="#middle">man-in-the-middle</A>) which
12426 gives him some short-term keys, but he does not automatically get them
12427 just by acquiring the long-term key.</P>
12429 <DD>see Perfect Forward Secrecy</DD>
12430 <DT><A name="PGP">PGP</A></DT>
12431 <DD><B>P</B>retty <B>G</B>ood <B>P</B>rivacy, a personal encryption
12432 system for email based on public key technology, written by Phil
12434 <P>The 2.xx versions of PGP used the <A href="#RSA">RSA</A> public key
12435 algorithm and used <A href="#IDEA">IDEA</A> as the symmetric cipher.
12436 These versions are described in RFC 1991 and in <A href="#PGP">
12437 Garfinkel's book</A>. Since version 5, the products from <A href="#pgpi">
12438 PGP Inc</A>. have used <A href="#DH">Diffie-Hellman</A> public key
12439 methods and <A href="#CAST128">CAST-128</A> symmetric encryption. These
12440 can verify signatures from the 2.xx versions, but cannot exchange
12441 encryted messages with them.</P>
12442 <P>An <A href="#IETF">IETF</A> working group has issued RFC 2440 for
12443 an "Open PGP" standard, similar to the 5.x versions. PGP Inc. staff
12444 were among the authors. A free <A href="#GPG">Gnu Privacy Guard</A>
12445 based on that standard is now available.</P>
12446 <P>For more information on PGP, including how to obtain it, see our
12447 cryptography <A href="#tools">links</A>.</P>
12448 <DT><A name="PGPI">PGP Inc.</A></DT>
12449 <DD>A company founded by Zimmerman, the author of <A href="#PGP">PGP</A>
12450 , now a division of <A href="#NAI">NAI</A>. See the <A href="http://www.pgp.com">
12451 corporate website</A>. </DD>
12452 <P>Their PGP 6.5 product includes PGPnet, an IPSEC client for
12453 Macintosh or for Windows 95/98/NT.</P>
12454 <DT><A name="photuris">Photuris</A></DT>
12455 <DD>Another key negotiation protocol, an alternative to <A href="#IKE">
12456 IKE</A>, described in RFCs 2522 and 2523.</DD>
12457 <DT><A name="PPTP">PPTP</A></DT>
12458 <DD><B>P</B>oint-to-<B>P</B>oint <B>T</B>unneling <B>P</B>rotocol.
12459 Papers discussing weaknesses in it are on <A href="http://www.counterpane.com/publish.html">
12460 counterpane.com</A>.</DD>
12461 <DT><A name="PKI">PKI</A></DT>
12462 <DD><B>P</B>ublic <B>K</B>ey <B>I</B>nfrastructure, the things an
12463 organisation or community needs to set up in order to make <A href="#public">
12464 public key</A> cryptographic technology a standard part of their
12465 operating procedures. </DD>
12466 <P>There are several PKI products on the market. Typically they use a
12467 hierarchy of <A href="#CA">Certification Authorities (CAs)</A>. Often
12468 they use <A href="#LDAP">LDAP</A> access to <A href="#X509">X.509</A>
12469 directories to implement this.</P>
12470 <P>See <A href="#web">Web of Trust</A> for a different sort of
12471 infrastructure.</P>
12472 <DT><A name="PKIX">PKIX</A></DT>
12473 <DD><B>PKI</B> e<B>X</B>change, an <A href="#IETF">IETF</A> standard
12474 that allows <A href="#PKI">PKI</A>s to talk to each other. </DD>
12475 <P>This is required, for example, when users of a corporate PKI need
12476 to communicate with people at client, supplier or government
12477 organisations, any of which may have a different PKI in place. I
12478 should be able to talk to you securely whenever:</P>
12480 <LI>your organisation and mine each have a PKI in place</LI>
12481 <LI>you and I are each set up to use those PKIs</LI>
12482 <LI>the two PKIs speak PKIX</LI>
12483 <LI>the configuration allows the conversation</LI>
12485 <P>At time of writing (March 1999), this is not yet widely implemented
12486 but is under quite active development by several groups.</P>
12487 <DT><A name="plaintext">Plaintext</A></DT>
12488 <DD>The unencrypted input to a cipher, as opposed to the encrypted <A href="#ciphertext">
12489 ciphertext</A> output.</DD>
12490 <DT><A name="Pluto">Pluto</A></DT>
12491 <DD>The <A href="#FreeSWAN">Linux FreeS/WAN</A> daemon which handles
12492 key exchange via the <A href="#IKE">IKE</A> protocol, connection
12493 negotiation, and other higher-level tasks. Pluto calls the <A href="#KLIPS">
12494 KLIPS</A> kernel code as required. For details, see the manual page
12495 ipsec_pluto(8).</DD>
12496 <DT><A name="public">Public Key Cryptography</A></DT>
12497 <DD>In public key cryptography, keys are created in matched pairs.
12498 Encrypt with one half of a pair and only the matching other half can
12499 decrypt it. This contrasts with <A href="#symmetric">symmetric or
12500 secret key cryptography</A> in which a single key known to both
12501 parties is used for both encryption and decryption. </DD>
12502 <P>One half of each pair, called the public key, is made public. The
12503 other half, called the private key, is kept secret. Messages can then
12504 be sent by anyone who knows the public key to the holder of the
12505 private key. Encrypt with the public key and you know only someone
12506 with the matching private key can decrypt.</P>
12507 <P>Public key techniques can be used to create <A href="#signature">
12508 digital signatures</A> and to deal with key management issues, perhaps
12509 the hardest part of effective deployment of <A href="#symmetric">
12510 symmetric ciphers</A>. The resulting <A href="#hybrid">hybrid
12511 cryptosystems</A> use public key methods to manage keys for symmetric
12513 <P>Many organisations are currently creating <A href="#PKI">PKIs,
12514 public key infrastructures</A> to make these benefits widely
12516 <DT>Public Key Infrastructure</DT>
12517 <DD>see <A href="#PKI">PKI</A></DD>
12518 <DT><A name="Q">Q</A></DT>
12519 <DT><A name="R">R</A></DT>
12520 <DT><A name="random">Random</A></DT>
12521 <DD>A remarkably tricky term, far too much so for me to attempt a
12522 definition here. Quite a few cryptosystems have been broken via
12523 attacks on weak random number generators, even when the rest of the
12524 system was sound. </DD>
12525 <P>See RFC 1750 for the theory. It will be available <A href="../Internet-docs/rfc1750.txt">
12526 locally</A> if you have downloaded our RFC bundle (which is <A href="#RFC">
12527 described here</A>). Or read it <A href="http://nis.nsf.net/internet/documents/rfc/rfc1750.txt">
12528 on the net</A>.</P>
12529 <P>See the manual pages for ipsec_ranbits(8) and random(4) for details
12530 of what we use.</P>
12531 <P>There has recently been discussion on several mailing lists of the
12532 limitations of Linux /dev/random and of whether we are using it
12533 correctly. Those discussions are archived on the <A href="http://www.openpgp.net/random/index.html">
12534 /dev/random support page</A>.</P>
12535 <DT><A href="http://www.raptor.com">Raptor</A></DT>
12536 <DD>A firewall product for Windows NT offerring IPSEC-based VPN
12537 services. Linux FreeS/WAN interoperates with Raptor; see our <A href="#Raptor">
12538 Compatibility</A> document for details. Raptor have recently merged
12540 <DT><A name="RC4">RC4</A></DT>
12541 <DD><B>R</B>ivest <B>C</B>ipher four, designed by Ron Rivest of <A href="#RSAco">
12542 RSA</A> and widely used. Believed highly secure with adequate key
12543 length, but often implemented with inadequate key length to comply
12544 with export restrictions.</DD>
12545 <DT><A name="RC6">RC6</A></DT>
12546 <DD><B>R</B>ivest <B>C</B>ipher six, <A href="#RSAco">RSA</A>'s <A href="#AES">
12547 AES</A> candidate cipher.</DD>
12548 <DT><A name="replay">Replay attack</A></DT>
12549 <DD>An attack in which the attacker records data and later replays it
12550 in an attempt to deceive the recipient.</DD>
12552 <DD><B>R</B>equest <B>F</B>or <B>C</B>omments, an Internet document.
12553 Some RFCs are just informative. Others are standards. </DD>
12554 <P>Our list of <A href="#IPSEC">IPSEC</A> and other security-related
12555 RFCs is <A href="#RFC">here</A>, along with information on methods of
12556 obtaining them.</P>
12557 <DT><A name="RIPEMD">RIPEMD</A></DT>
12558 <DD>A <A href="#digest">message digest</A> algorithm. The current
12559 version is RIPEMD-160 which gives a 160-bit hash.</DD>
12560 <DT><A name="rootCA">Root CA</A></DT>
12561 <DD>The top level <A href="#CA">Certification Authority</A> in a
12562 hierachy of such authorities.</DD>
12563 <DT><A name="routable">Routable IP address</A></DT>
12564 <DD>Most IP addresses can be used as "to" and "from" addresses in
12565 packet headers. These are the routable addresses; we expect routing to
12566 be possible for them. If we send a packet to one of them, we expect
12567 (in most cases; there are various complications) that it will be
12568 delivered if the address is in use and will cause an <A href="#icmp">
12569 ICMP</A> error packet to come back to us if not. </DD>
12570 <P>There are also several classes of <A href="#non-routable">
12571 non-routable</A> IP addresses.</P>
12572 <DT><A name="RSA">RSA algorithm</A></DT>
12573 <DD><B>R</B>ivest <B>S</B>hamir <B>A</B>dleman public key encryption
12574 method, named for its three inventors. The algorithm is widely used
12575 and likely to become moreso since it became free of patent
12576 encumbrances in September 2000. </DD>
12577 <P> For a full explanation of the algorithm, consult one of the
12578 standard references such as <A href="#schneier">Applied Cryptography</A>
12579 . A simple explanation is: </P>
12580 <P> The great 17th century French mathematician <A href="http://www-groups.dcs.st-andrews.ac.uk/~history/Mathematicians/Fermat.html">
12581 Fermat</A> proved that, for any prime p and number x, 0
12585 modulo p x^(p-1) == 1 modulo p, non-zero x From this it follows
12586 that if we have a pair of primes p, q and two numbers e, d such that: </P>
12588 ed == 1 modulo lcm( p-1, q-1)
12590 where lcm() is least common multiple, then for all x, 0
12594 modulo pq, non-zero x x^ed == x modulo pq So we construct such as
12595 set of numbers p, q, e, d and publish the product N=pq and e as the
12596 public key. Encryption is then:
12600 An attacker cannot deduce x from the cyphertext c, short of either
12601 factoring N or solving the <A href="#dlog">discrete logarithm</A>
12602 problem for this field. If p, q are large primes (hundreds or
12603 thousands of bits) no efficient solution to either problem is known.
12604 <P> The receiver, knowing the private key (N and d), can readily find x
12607 c^d == (x^e)^d modulo N
12611 This gives an effective public key technique, with only a couple of
12612 problems. It uses a good deal of computer time, since calculations with
12613 large integers are not cheap, and there is no proof it is necessarily
12614 secure since no-one has proven either factoring or discrete log cannot
12615 be done efficiently.
12616 <DT><A name="RSAco">RSA Data Security</A></DT>
12617 <DD>A company founded by the inventors of the <A href="#RSA">RSA</A>
12618 public key algorithm.</DD>
12619 <DT><A name="S">S</A></DT>
12620 <DT><A name="SA">SA</A></DT>
12621 <DD><B>S</B>ecurity <B>A</B>ssociation, the channel negotiated by the
12622 higher levels of an <A href="#IPSEC">IPSEC</A> implementation and used
12623 by the lower. SAs are unidirectional; you need a pair of them for
12624 two-way communication. </DD>
12625 <P>An SA is defined by three things -- the destination, the protocol (<A
12626 href="#AH">AH</A> or<A href="#ESP">ESP</A>) and the <A href="SPI">SPI</A>
12627 , security parameters index. It is used to index other things such as
12628 session keys and intialisation vectors.</P>
12629 <P>For more detail, see our section on <A href="ipsec.html">IPSEC</A>
12630 and/or RFC 2401.</P>
12631 <DT><A name="SDNS"><A href="http://www.toad.com/~dnssec">Secure DNS</A></A>
12633 <DD>A version of the <A href="#DNS">DNS or Domain Name Service</A>
12634 enhanced with authentication services. This is being designed by the <A href="#IETF">
12635 IETF</A> DNS security <A href="http://www.ietf.org/ids.by.wg/dnssec.html">
12636 working group</A>. Check the <A href="http://www.isc.org/bind.html">
12637 Internet Software Consortium</A> for information on implementation
12638 progress and for the latest version of <A href="#BIND">BIND</A>.
12639 Another site has <A href="http://www.toad.com/~dnssec">more information</A>
12641 <P><A href="#IPSEC">IPSEC</A> can use this plus <A href="#DH">
12642 Diffie-Hellman key exchange</A> to bootstrap itself. This would allow <A
12643 href="#carpediem">opportunistic encryption</A>. Any pair of machines
12644 which could authenticate each other via DNS could communicate
12645 securely, without either a pre-existing shared secret or a shared <A href="#PKI">
12647 <P><A href="#FreeSWAN">Linux FreeS/WAN</A> will support this in a
12648 future release.</P>
12649 <DT>Secret key cryptography</DT>
12650 <DD>See <A href="#symmetric">symmetric cryptography</A></DD>
12651 <DT>Security Association</DT>
12652 <DD>see <A href="#SA">SA</A></DD>
12653 <DT><A name="sequence">Sequence number</A></DT>
12654 <DD>A number added to a packet or message which indicates its position
12655 in a sequence of packets or messages. This provides some security
12656 against <A href="#replay">replay attacks</A>. </DD>
12657 <P>For <A href="#auto">automatic keying</A> mode, the <A href="#IPSEC">
12658 IPSEC</A> RFCs require that the sender generate sequence numbers for
12659 each packet, but leave it optional whether the receiver does anything
12661 <DT><A name="SHA">SHA</A></DT>
12662 <DD><B>S</B>ecure <B>H</B>ash <B>A</B>lgorithm, a <A href="#digest">
12663 message digest algorithm</A> developed by the <A href="#NSA">NSA</A>
12664 for use in the Digital Signature standard, <A href="#FIPS">FIPS</A>
12665 number 186 from <A href="#NIST">NIST</A>. SHA is an improved variant
12666 of <A href="#MD4">MD4</A> producing a 160-bit hash. </DD>
12667 <P>SHA is one of two message digest algorithms available in IPSEC. The
12668 other is <A href="#MD5">MD5</A>. Some people do not trust SHA because
12669 it was developed by the <A href="#NSA">NSA</A>. There is, as far as we
12670 know, no cryptographic evidence that SHA is untrustworthy, but this
12671 does not prevent that view from being strongly held.</P>
12672 <DT><A name="SIGINT">Signals intelligence (SIGINT)</A></DT>
12673 <DD>Activities of government agencies from various nations aimed at
12674 protecting their own communications and reading those of others.
12675 Cryptography, cryptanalysis, wiretapping, interception and monitoring
12676 of various sorts of signals. The players include the American <A href="#NSA">
12677 NSA</A>, British <A href="#GCHQ">GCHQ</A> and Canadian <A href="#CSE">
12679 <DT><A name="SKIP">SKIP</A></DT>
12680 <DD><B>S</B>imple <B>K</B>ey management for <B>I</B>nternet <B> P</B>
12681 rotocols, an alternative to <A href="#IKE">IKE</A> developed by Sun
12682 and being marketed by their <A href="http://skip.incog.com">Internet
12683 Commerce Group</A>.</DD>
12684 <DT><A name="snake">Snake oil</A></DT>
12685 <DD>Bogus cryptography. See the <A href="http://www.interhack.net/people/cmcurtin/snake-oil-faq.html">
12686 Snake Oil FAQ</A> or <A href="http://www.counterpane.com/crypto-gram-9902.html#snakeoil">
12687 this paper</A> by Schneier.</DD>
12688 <DT><A name="SPI">SPI</A></DT>
12689 <DD><B>S</B>ecurity <B>P</B>arameter <B>I</B>ndex, an index used within <A
12690 href="#IPSEC"> IPSEC</A> to keep connections distinct. A <A href="#SA">
12691 Security Association (SA)</A> is defined by destination, protocol and
12692 SPI. Without the SPI, two connections to the same gateway using the
12693 same protocol could not be distinguished. </DD>
12694 <P>For more detail, see our <A href="#SPI">IPSEC Overview</A> and/or
12696 <DT><A name="SSH">SSH</A></DT>
12697 <DD><B>S</B>ecure <B>SH</B>ell, an encrypting replacement for the
12698 insecure Berkeley commands whose names begin with "r" for "remote":
12699 rsh, rlogin, etc. </DD>
12700 <P>For more information on SSH, including how to obtain it, see our
12701 cryptography <A href="#tools">links</A>.</P>
12702 <DT><A name="SSHco">SSH Communications Security</A></DT>
12703 <DD>A company founded by the authors of <A href="#SSH">SSH</A>. Offices
12704 are in <A href="http://www.ssh.fi">Finland</A> and <A href="http://www.ipsec.com">
12705 California</A>. They have a toolkit for developers of IPSEC
12707 <DT><A name="SSL">SSL</A></DT>
12708 <DD><A href="http://home.netscape.com/eng/ssl3">Secure Sockets Layer</A>
12709 , a set of encryption and authentication services for web browsers,
12710 developed by Netscape. Widely used in Internet commerce. Also known as <A
12711 href="#TLS">TLS</A>.</DD>
12713 <DD>A free implementation of <A href="#SSL">SSL</A> by Eric Young (eay)
12714 and others. Developed in Australia; not subject to US export controls.</DD>
12715 <DT><A name="stream">Stream cipher</A></DT>
12716 <DD>A <A href="#symmetric">symmetric cipher</A> which produces a stream
12717 of output which can be combined (often using XOR or bytewise addition)
12718 with the plaintext to produce ciphertext. Contrasts with <A href="#block">
12719 block cipher</A>. </DD>
12720 <P><A href="#IPSEC">IPSEC</A> does not use stream ciphers. Their main
12721 application is link-level encryption, for example of voice, video or
12722 data streams on a wire or a radio signal.</P>
12723 <DT><A name="subnet">subnet</A></DT>
12724 <DD>A group of IP addresses which are logically one network, typically
12725 (but not always) assigned to a group of physically connected machines.
12726 The range of addresses in a subnet is described using a subnet mask.
12727 See next entry.</DD>
12728 <DT>subnet mask</DT>
12729 <DD>A method of indicating the addresses included in a subnet. Here are
12730 two equivalent examples:
12732 <LI>101.101.101.0/24</LI>
12733 <LI>101.101.101.0 with mask 255.255.255.0</LI>
12736 <P>The '24' is shorthand for a mask with the top 24 bits one and the
12737 rest zero. This is exactly the same as 255.255.255.0 which has three
12738 all-ones bytes and one all-zeros byte.</P>
12739 <P>These indicate that, for this range of addresses, the top 24 bits
12740 are to be treated as naming a network (often referred to as "the
12741 101.101.101.0/24 subnet") while most combinations of the low 8 bits
12742 can be used to designate machines on that network. Two addresses are
12743 reserved; 101.101.101.0 refers to the subnet rather than a specific
12744 machine while 101.101.101.255 is a broadcast address. 1 to 254 are
12745 available for machines.</P>
12746 <P>It is common to find subnets arranged in a hierarchy. For example,
12747 a large company might have a /16 subnet and allocate /24 subnets
12748 within that to departments. An ISP might have a large subnet and
12749 allocate /26 subnets (64 addresses, 62 usable) to business customers
12750 and /29 subnets (8 addresses, 6 usable) to residential clients.</P>
12751 <DT><A name="SWAN">S/WAN</A></DT>
12752 <DD>Secure Wide Area Network, a project involving <A href="#RSAco">RSA
12753 Data Security</A> and a number of other companies. The goal was to
12754 ensure that all their <A href="#IPSEC">IPSEC</A> implementations would
12755 interoperate so that their customers can communicate with each other
12757 <DT><A name="symmetric">Symmetric cryptography</A></DT>
12758 <DD>Symmetric cryptography, also referred to as conventional or secret
12759 key cryptography, relies on a <EM>shared secret key</EM>, identical
12760 for sender and receiver. Sender encrypts with that key, receiver
12761 decrypts with it. The idea is that an eavesdropper without the key be
12762 unable to read the messages. There are two main types of symmetric
12763 cipher, <A href="#block">block ciphers</A> and <A href="#stream">
12764 stream ciphers</A>. </DD>
12765 <P>Symmetric cryptography contrasts with <A href="#public">public key</A>
12766 or asymmetric systems where the two players use different keys.</P>
12767 <P>The great difficulty in symmetric cryptography is, of course, key
12768 management. Sender and receiver <EM>must</EM> have identical keys and
12769 those keys <EM>must</EM> be kept secret from everyone else. Not too
12770 much of a problem if only two people are involved and they can
12771 conveniently meet privately or employ a trusted courier. Quite a
12772 problem, though, in other circumstances.</P>
12773 <P>It gets much worse if there are many people. An application might
12774 be written to use only one key for communication among 100 people, for
12775 example, but there would be serious problems. Do you actually trust
12776 all of them that much? Do they trust each other that much? Should
12777 they? What is at risk if that key is compromised? How are you going
12778 to distribute that key to everyone without risking its secrecy? What
12779 do you do when one of them leaves the company? Will you even know?</P>
12780 <P>On the other hand, if you need unique keys for every possible
12781 connection between a group of 100, then each user must have 99 keys.
12782 You need either 99*100/2 = 4950 <EM>secure</EM> key exchanges between
12783 users or a central authority that <EM>securely</EM> distributes 100
12784 key packets, each with a different set of 99 keys.</P>
12785 <P>Either of these is possible, though tricky, for 100 users. Either
12786 becomes an administrative nightmare for larger numbers. Moreover, keys <EM>
12787 must</EM> be changed regularly, so the problem of key distribution
12788 comes up again and again. If you use the same key for many messages
12789 then an attacker has more text to work with in an attempt to crack
12790 that key. Moreover, one successful crack will give him or her the text
12791 of all those messages.</P>
12792 <P>In short, the <EM>hardest part of conventional cryptography is key
12793 management</EM>. Today the standard solution is to build a <A href="#hybrid">
12794 hybrid system</A> using <A href="#public">public key</A> techniques to
12796 <DT><A name="T">T</A></DT>
12797 <DT><A name="TIS">TIS</A></DT>
12798 <DD><A href="http://www.tislabs.com">Trusted Information Systems</A>, a
12799 firewall vendor now part of <A href="#NAI">NAI</A>. Their Gauntlet
12800 product offers IPSEC VPN services. TIS implemented the first version
12801 of <A href="#SNDS">Secure DNS</A> on a <A href="#DARPA">DARPA</A>
12803 <DT><A name="TLS">TLS</A></DT>
12804 <DD><B>T</B>ransport <B>L</B>ayer <B>S</B>ecurity, a newer name for <A href="#SSL">
12806 <DT><A name="traffic">Traffic analysis</A></DT>
12807 <DD>Deducing useful intelligence from patterns of message traffic,
12808 without breaking codes or reading the messages. In one case during
12809 World War II, the British knew an attack was coming because all German
12810 radio traffic stopped. The "radio silence" order, intended to preserve
12811 security, actually gave the game away. </DD>
12812 <P>In an industrial espionage situation, one might deduce something
12813 interesting just by knowing that company A and company B were talking,
12814 especially if one were able to tell which departments were involved,
12815 or if one already knew that A was looking for acquisitions and B was
12816 seeking funds for expansion.</P>
12817 <P><A href="#IPSEC">IPSEC</A> itself does not defend against this, but
12818 carefully thought out systems using IPSEC can provide at least partial
12819 protection. In particular, one might want to encrypt more traffic than
12820 was strictly necessary, route things in odd ways, or even encrypt
12821 dummy packets, to confuse the analyst.</P>
12822 <DT><A name="transport">Transport mode</A></DT>
12823 <DD>An IPSEC application in which the IPSEC gateway is the destination
12824 of the protected packets, a machine acts as its own gateway. Contrast
12825 with <A href="#tunnel">tunnel mode</A>.</DD>
12826 <DT>Triple DES</DT>
12827 <DD>see <A href="#3DES">3DES</A></DD>
12828 <DT><A name="tunnel">Tunnel mode</A></DT>
12829 <DD>An IPSEC application in which an IPSEC gateway provides protection
12830 for packets to and from other systems. Contrast with <A href="#transport">
12831 transport mode</A>.</DD>
12832 <DT><A name="2key">Two-key Triple DES</A></DT>
12833 <DD>A variant of <A href="#3DES">triple DES or 3DES</A> in which only
12834 two keys are used. As in the three-key version, the order of
12835 operations is <A href="#EDE">EDE</A> or encrypt-decrypt-encrypt, but
12836 in the two-key variant the first and third keys are the same. </DD>
12837 <P>3DES with three keys has 3*56 = 168 bits of key but has only
12838 112-bit strength against a <A href="#meet">meet-in-the-middle</A>
12839 attack, so it is possible that the two key version is just as strong.
12840 Last I looked, this was an open question in the research literature.</P>
12841 <P>RFC 2451 defines triple DES for <A href="#IPSEC">IPSEC</A> as the
12842 three-key variant. The two-key variant should not be used and is not
12843 implemented directly in <A href="#FreeSWAN">Linux FreeS/WAN</A>. It
12844 cannot be used in automatically keyed mode without major fiddles in
12845 the source code. For manually keyed connections, you could make Linux
12846 FreeS/WAN talk to a two-key implementation by setting two keys the
12847 same in /etc/ipsec.conf.</P>
12848 <DT><A name="U">U</A></DT>
12849 <DT><A name="V">V</A></DT>
12850 <DT><A name="virtual">Virtual Interface</A></DT>
12851 <DD>A <A href="#Linux">Linux</A> feature which allows one physical
12852 network interface to have two or more IP addresses. See the <CITE>
12853 Linux Network Administrator's Guide</CITE> in <A href="#kirch">book
12854 form</A> or <A href="http://metalab.unc.edu/LDP/LDP/nag/node1.html">on
12855 the web</A> for details.</DD>
12856 <DT>Virtual Private Network</DT>
12857 <DD>see <A href="#VPN">VPN</A></DD>
12858 <DT><A name="VPN">VPN</A></DT>
12859 <DD><B>V</B>irtual <B>P</B>rivate <B>N</B>etwork, a network which can
12860 safely be used as if it were private, even though some of its
12861 communication uses insecure connections. All traffic on those
12862 connections is encrypted. </DD>
12863 <P><A href="#IPSEC">IPSEC</A> is not the only technique available for
12864 building VPNs, but it is the only method defined by <A href="#RFC">RFCs</A>
12865 and supported by many vendors. VPNs are by no means the only thing
12866 you can do with IPSEC, but they may be the most important application
12867 for many users.</P>
12868 <DT><A name="VPNC">VPNC</A></DT>
12869 <DD><A href="http://www.vpnc.org">Virtual Private Network Consortium</A>
12870 , an association of vendors of VPN products.</DD>
12871 <DT><A name="W">W</A></DT>
12872 <DT>Wassenaar Arrangement</DT>
12873 <DD>An international agreement restricting export of munitions and
12874 other tools of war. Unfortunately, cryptographic software is also
12875 restricted under the current version of the agreement. <A href="#Wassenaar">
12876 Discussion</A>.</DD>
12877 <DT><A name="web">Web of Trust</A></DT>
12878 <DD><A href="#PGP">PGP</A>'s method of certifying keys. Any user can
12879 sign a key; you decide which signatures or combinations of signatures
12880 to accept as certification. This contrasts with the hierarchy of <A href="#CA">
12881 CAs (Certification Authorities)</A> used in many <A href="#PKI">PKIs
12882 (Public Key Infrastructures)</A>. </DD>
12883 <P>See <A href="#GTR">Global Trust Register</A> for an interesting
12884 addition to the web of trust.</P>
12885 <DT><A name="X">X</A></DT>
12886 <DT><A name="X509">X.509</A></DT>
12887 <DD>A standard from the <A href="http://www.itu.int">ITU (International
12888 Telecommunication Union)</A>, for hierarchical directories with
12889 authentication services, used in many <A href="#PKI">PKI</A>
12890 implementations. </DD>
12891 <P>Use of X.509 services, via the <A href="#LDAP">LDAP protocol</A>,
12892 for certification of keys is allowed but not required by the <A href="#IPSEC">
12893 IPSEC</A> RFCs. It is not yet implemented in <A href="#FreeSWAN">Linux
12895 <DT><A href="http://www.xedia.com">Xedia</A></DT>
12896 <DD>A vendor of router and Internet access products. Their QVPN
12897 products interoperate with Linux FreeS/WAN; see our <A href="#Xedia">
12898 compatibility document</A>.</DD>
12899 <DT><A name="Y">Y</A></DT>
12900 <DT><A name="Z">Z</A></DT>
12903 <H1><A name="biblio">Bibliography for the Linux FreeS/WAN project</A></H1>
12904 <P> For extensive bibliographic links, see the <A href="http://liinwww.ira.uka.de/bibliography/index.html">
12905 Collection of Computer Science Bibliographies</A></P>
12906 <P> See our <A href="web.html">web links</A> for material available
12908 <HR><A name="adams"> Carlisle Adams and Steve Lloyd <CITE>Understanding
12909 Public Key Infrastructure</CITE>
12910 <BR></A> Macmillan 1999 ISBN 1-57870-166-x
12911 <BR> An overview, mainly concentrating on policy and strategic issues
12912 rather than the technical details. Both authors work for <A href="#PKI">
12913 PKI</A> vendor <A href="http://www.entrust.com/">Entrust</A>.
12914 <HR><A name="DNS.book"> Albitz, Liu & Loukides <CITE>DNS & BIND</CITE>
12916 <BR></A> O'Reilly 1998 ISBN 1-56592-512-2
12917 <BR> The standard reference on the <A href="#DNS">Domain Name Service</A>
12918 and <A href="#BIND">Berkeley Internet Name Daemon</A>.
12919 <HR><A name="puzzle"> Bamford <CITE>The Puzzle Palace, A report on NSA,
12920 Americas's most Secret Agency</CITE>
12921 <BR> Houghton Mifflin 1982 ISBN 0-395-31286-8</A>
12922 <HR><A name="bander"> David Bander, <CITE>Linux Security Toolkit</CITE>
12923 <BR> IDG Books, 2000, ISBN: 0764546902
12924 <BR> This book has a short section on FreeS/WAN and includes Caldera
12926 <HR><A name="CZR"> Chapman, Zwicky & Russell <CITE>Building Internet
12928 <BR> O'Reilly 1995 ISBN 1-56592-124-0</A>
12929 <HR><A name="firewall2"> Cheswick and Bellovin</A><CITE> Firewalls and
12930 Internet Security: Repelling the Wily Hacker</CITE>
12931 <BR> Addison-Wesley 1994 ISBN 0201633574
12932 <BR> A fine book on firewalls in particular and security in general
12933 from two of AT&T's system adminstrators.
12934 <P> Bellovin has also done a number of <A href="#papers">papers</A> on
12935 IPSEC and co-authored a <A href="#applied">paper</A> on a large
12936 FreeS/WAN application. </P>
12937 <HR><A name="comer"> Comer <CITE>Internetworking with TCP/IP</CITE>
12938 <BR> Prentice Hall</A>
12940 <LI>Vol. I: Principles, Protocols, & Architecture, 3rd Ed. 1995
12941 ISBN:0-13-216987-8</LI>
12942 <LI>Vol. II: Design, Implementation, & Intervals, 2nd Ed. 1994
12943 ISBN:0-13-125527-4</LI>
12944 <LI>Vol. III: Client/Server Programming & Applications
12946 <LI>AT&T TLI Version 1994 ISBN:0-13-474230-3</LI>
12947 <LI>BSD Socket Version 1996 ISBN:0-13-260969-X</LI>
12948 <LI>Windows Sockets Version 1997 ISBN:0-13-848714-6</LI>
12952 <P>If you need to deal with the details of the network protocols, read
12953 either this series or the <A href="#stevens">Stevens and Wright</A>
12954 series before you start reading the RFCs. </P>
12955 <HR><A name="diffie"> Diffie and Landau</A><CITE> Privacy on the Line:
12956 The Politics of Wiretapping and Encryption</CITE>
12957 <BR> MIT press 1998 ISBN 0-262-04167-7 (hardcover) or 0-262-54100-9
12958 <BR> An <A href="http://www-mitpress.mit.edu/news/diffie/">interview
12959 with the authors</A> is available on the web.
12960 <HR><A name="d_and_hark"> Doraswamy and Harkins <CITE>IP Sec: The New
12961 Security Standard for the Internet, Intranets and Virtual Private
12963 <BR> Prentice Hall 1999 ISBN: 0130118982</A>
12964 <HR><A name="EFF"> Electronic Frontier Foundation <CITE>Cracking DES:
12965 Secrets of Encryption Research, Wiretap Politics and Chip Design</CITE>
12966 <BR></A> O'Reilly 1998 ISBN 1-56592-520-3
12967 <BR> To conclusively demonstrate that DES is inadequate for continued
12968 use, the <A href="#EFF">EFF</A> built a machine for just over $200,000
12969 that breaks DES encryption in under five days on average, under nine
12971 <P>The book provides details of their design and, perhaps even more
12972 important, discusses why they felt the project was necessary.
12973 Recommended for anyone interested in any of the three topics mentioned
12974 in the subtitle.</P>
12975 <P>See also the <A href="http://www.eff.org/descracker.html"> EFF page
12976 on this project </A> and our discussion of <A href="#desnotsecure">DES
12977 insecurity</A>. </P>
12978 <HR> Martin Freiss <CITE>Protecting Networks with SATAN</CITE>
12979 <BR> O'Reilly 1998 ISBN 1-56592-425-8
12980 <BR> translated from a 1996 work in German
12981 <BR> SATAN is a Security Administrator's Tool for Analysing Networks.
12982 This book is a tutorial in its use.
12983 <HR> Gaidosch and Kunzinger<CITE> A Guide to Virtual Private Networks</CITE>
12984 <BR> Prentice Hall 1999 ISBN: 0130839647
12985 <HR><A name="Garfinkel"> Simson Garfinkel <CITE>Database Nation: the
12986 death of privacy in the 21st century</CITE>
12987 <BR> O'Reilly 2000 ISBN 1-56592-653-6
12988 <BR> A thoughtful and rather scary book.</A>
12989 <HR><A name="PGP"> Simson Garfinkel <CITE>PGP: Pretty Good Privacy</CITE>
12990 <BR> O'Reilly 1995 ISBN 1-56592-098-8
12991 <BR> An excellent introduction and user manual for the </A><A href="#PGP">
12992 PGP</A> email-encryption package. PGP is a good package with a complex
12993 and poorly-designed user interface. This book or one like it is a must
12994 for anyone who has to use it at length.
12995 <P>The book covers using PGP in Unix, PC and Macintosh environments,
12996 plus considerable background material on both the technical and
12997 political issues around cryptography. The only shortcoming is that it
12998 does not cover recent developments such as PGP 5 and Open PGP. </P>
12999 <HR><A name="practical"> Garfinkel and Spafford <CITE>Practical Unix
13001 <BR> O'Reilly 1996 ISBN 1-56592-148-8
13002 <BR> A standard reference.
13003 <BR> Spafford's web page has an excellent collection of <A href="http://www.cs.purdue.edu/coast/hotlist">
13004 crypto and security links</A>.
13005 <HR><A name="Kahn"> David Kahn <CITE>The Codebreakers: the
13006 Comprehensive History of Secret Communications from Ancient Times to
13007 the Internet</CITE>
13008 <BR> second edition Scribner 1996 ISBN 0684831309
13009 <BR> A history of codes and code-breaking from ancient Egypt to the
13010 20th century. Well-written and exhaustively researched. <STRONG>Highly
13011 recommended</STRONG>, even though it does not have much on computer
13013 <HR> David Kahn <CITE>Seizing the Enigma, The Race to Break the German
13014 U-Boat codes, 1939-1943</CITE>
13015 <BR> Houghton Mifflin 1991 ISBN 0-395-42739-8
13016 <HR><A name="kirch"> Olaf Kirch <CITE>Linux Network Administrator's
13018 <BR> O'Reilly 1995 ISBN 1-56592-087-2
13019 <BR> Now becoming somewhat dated in places, but still a good
13020 introductory book and general reference.</A>
13021 <HR><A name="RFCs"> Pete Lashin <CITE>Big Book of IPSEC RFCs</CITE>
13022 <BR> Morgan Kaufmann 2000 ISBN: 0-12-455839-9</A>
13023 <HR><A name="crypto"> Steven Levy <CITE>Crypto: How the Code Rebels
13024 Beat the Government -- Saving Privacy in the Digital Age</CITE></A>
13025 <BR> Penguin 2001, ISBN 0-670--85950-8
13026 <BR><STRONG> Highly recommended</STRONG>. A fine history of recent
13027 (about 1970-2000) developments in the field, and the related political
13028 controversies. FreeS/WAN project founder and leader John Gilmore
13029 appears several times.
13030 <P> The book does not cover IPSEC or FreeS/WAN, but this project is
13031 very much another battle in the same war. See our discussion of the <A href="politics.html">
13033 <HR><A name="GTR"> Matyas, Anderson et al. <CITE>The Global Trust
13035 <BR> Northgate Consultants Ltd 1998 ISBN: 0953239705
13036 <BR> hard cover edition due April 1999 MIT Press ISBN 0262511053
13037 <BR> From <A href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
13038 their web page</A>: <BLOCKQUOTE> This book is a register of the
13039 fingerprints of the world's most important public keys; it implements
13040 a top-level certification authority (CA) using paper and ink rather
13041 than in an electronic system.</BLOCKQUOTE>
13042 <HR><A name="handbook"> Menezies, van Oorschot and Vanstone <CITE>
13043 Handbook of Applied Cryptography</CITE></A>
13044 <BR> CRC Press 1997
13045 <BR> ISBN 0-8493-8523-7
13046 <BR> An excellent reference. Read <A href="#schneier">Schneier</A>
13047 before tackling this.
13048 <HR><A name="Mourani"> Gerhard Mourani <CITE>Get Acquainted with Linux
13049 Security and Optimization System</CITE></A>
13050 <BR> Available online as a <A href="http://pages.infinit.net/lotus1/">
13051 PDF file</A>. It did not yet cover IPSEC when we last looked.
13052 <HR> Michael Padlipsky <CITE>Elements of Networking Style</CITE>
13053 <BR> Prentice-Hall 1985 ISBN 0-13-268111-0 or 0-13-268129-3
13054 <BR> Probably <STRONG>the funniest technical book ever written</STRONG>
13055 , this is a vicious but well-reasoned attack on the OSI "seven layer
13056 model" and all that went with it. Several chapters of it are also
13057 available as RFCs 871 to 875.
13058 <HR><A name="matrix"> John S. Quarterman <CITE>The Matrix: Computer
13059 Networks and Conferencing Systems Worldwide</CITE>
13060 <BR> Digital Press 1990 ISBN 155558-033-5
13061 <BR> Prentice-Hall ISBN 0-13-565607-9
13062 <BR> The best general treatment of computer-mediated communication we
13063 have seen. It naturally has much to say about the Internet, but also
13064 covers UUCP, Fidonet and so on.</A>
13065 <HR><A name="ranch"> David Ranch <CITE>Securing Linux Step by Step</CITE>
13066 <BR> SANS Institute, 1999
13067 <BR></A><A href="http://www.sans.org/"> SANS</A> is a respected
13068 organisation, this guide is part of a well-known series, and Ranch has
13069 previously written the useful <A href="http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri">
13070 Trinity OS</A> guide to securing Linux, so my guess would be this is a
13071 pretty good book. I haven't read it yet, so I'm not certain. It can be
13072 ordered online from <A href="http://www.sans.org/">SANS</A>.
13073 <HR><A name="schneier"> Bruce Schneier <CITE>Applied Cryptography,
13074 Second Edition</CITE>
13075 <BR> John Wiley & Sons, 1996
13076 <BR> ISBN 0-471-12845-7 hardcover
13077 <BR> ISBN 0-471-11709-9 paperback
13078 <BR> A standard reference on computer cryptography. For more recent
13079 essays, see the <A href="http://www.counterpane.com/">author's
13080 company's web site</A>.
13081 <HR><A name="secrets"> Bruce Schneier <CITE>Secrets and Lies</CITE>
13082 <BR> Wiley 2000, ISBN 0-471-25311-1
13083 <BR> An interesting discussion of security and privacy issues, written
13084 with more of an "executive overview" approach rather than a narrow
13085 focus on the technical issues. <STRONG>Highly recommended</STRONG>.
13086 <HR><A name="VPNbook"> Scott, Wolfe and Irwin <CITE>Virtual Private
13087 Networks</CITE></A>
13088 <BR> 2nd edition, O'Reilly 1999 ISBN: 1-56592-529-7
13089 <BR> This is the only O'Reilly book, out of a dozen I own, that I'm
13090 disappointed with. It deals mainly with building VPNs with various
13091 proprietary tools -- <A href="#PPTP">PPTP</A>, <A href="#SSH">SSH</A>,
13092 Cisco PIX, ... -- and touches only lightly on IPSEC-based approaches.
13093 <P>That said, it appears to deal competently with what it does cover
13094 and it has readable explanations of many basic VPN and security
13095 concepts. It may be exactly what some readers require, even if I find
13096 the emphasis unfortunate. </P>
13097 <HR><A name="LASG"> Kurt Seifried <CITE>Linux Administrator's Security
13099 <BR> Available online from <A href="http://www.securityportal.com/lasg/">
13100 Security Portal</A>. It has fairly extensive coverage of IPSEC.
13101 <HR><A name="Smith"> Richard E Smith <CITE>Internet Cryptography</CITE>
13102 <BR></A> ISBN 0-201-92480-3, Addison Wesley, 1997
13103 <BR> See the book's <A href="http://www.visi.com/crypto/inet-crypto/index.html">
13105 <HR><A name="neal"> Neal Stephenson <CITE>Cryptonomicon</CITE></A>
13106 <BR> Hardcover ISBN -380-97346-4, Avon, 1999.
13107 <P> A novel in which cryptography and the net figure prominently. <STRONG>
13108 Highly recommended</STRONG>: I liked it enough I immediately went out
13109 and bought all the author's other books. </P>
13110 <P> There is also a paperback edition. Sequels are expected. </P>
13111 <HR><A name="stevens"> Stevens and Wright <CITE>TCP/IP Illustrated</CITE>
13112 <BR> Addison-Wesley</A>
13114 <LI>Vol. I: The Protocols 1994 ISBN:0-201-63346-9</LI>
13115 <LI>Vol. II: The Implementation 1995 ISBN:0-201-63354-X</LI>
13116 <LI>Vol. III: TCP for Transactions, HTTP, NNTP, and the UNIX Domain
13117 Protocols 1996 ISBN: 0-201-63495-3</LI>
13119 <P> If you need to deal with the details of the network protocols, read
13120 either this series or the <A href="#comer">Comer</A> series before you
13121 start reading the RFCs. </P>
13122 <HR><A name="Rubini"> Rubini <CITE>Linux Device Drivers</CITE>
13123 <BR> O'Reilly & Associates, Inc. 1998 ISBN 1-56592-292-1</A>
13124 <HR><A name="Zeigler"> Robert Zeigler <CITE>Linux Firewalls</CITE>
13125 <BR> Newriders Publishing, 2000 ISBN 0-7537-0900-9
13126 <BR></A></A></A></A></A></A><HR>
13127 <H1><A name="RFC">IPSEC RFCs and related documents</A></H1>
13128 <H2><A name="RFCfile">The RFCs.tar.gz Distribution File</A></H2>
13129 <P>The Linux FreeS/WAN distribution is available from:</P>
13130 <A href="http://www.xs4all.nl/~freeswan"> our primary distribution site</A>
13131 and various mirror sites. To give people more control over their
13132 downloads, the RFCs that define IP security are bundled separately in
13133 the file RFCs.tar.gz.
13134 <P>The file you are reading is included in the main distribution and is
13135 available on the web site. It describes the RFCs included in the <A href="#RFCs.tar.gz">
13136 RFCs.tar.gz</A> bundle and gives some pointers to <A href="#sources">
13137 other ways to get them</A>.</P>
13138 <H2><A name="sources">Other sources for RFCs & Internet drafts</A></H2>
13139 <H3><A name="RFCdown">RFCs</A></H3>
13140 <P> RFCs are downloadble at many places around the net such as:</P>
13142 <LI><A href="http://www.rfc-editor.org">http://www.rfc-editor.org</A></LI>
13143 <LI><A href="http://nis.nsf.net/internet/documents/rfc">NSF.net</A></LI>
13144 <LI><A href="http://sunsite.doc.ic.ac.uk/computing/internet/rfc">
13145 Sunsite in the UK</A></LI>
13147 <P> browsable in HTML form at others such as:</P>
13149 <LI><A href="http://www.landfield.com/rfcs/index.html">landfield.com</A></LI>
13150 <LI><A href="http://www.library.ucg.ie/Connected/RFC">Connected
13151 Internet Encyclopedia</A></LI>
13153 <P> and some of them are available in translation:</P>
13155 <LI><A href="http://www.eisti.fr/eistiweb/docs/normes/">French</A></LI>
13157 <P> There is also a published <A href="#RFCs1">Big Book of IPSEC RFCs</A>
13159 <H3><A name="drafts">Internet Drafts</A></H3>
13160 <P> Internet Drafts, working documents which sometimes evolve into
13161 RFCs, are also available. </P>
13163 <LI><A href="http://www.ietf.org/ID.html">Overall reference page</A></LI>
13164 <LI>drafts from the <A href="http://www.ietf.org/ids.by.wg/ipsec.html">
13165 IPSEC</A> working group</LI>
13166 <LI>drafts from the <A href="http://www.ietf.org/ids.by.wg/ipsra.html">
13167 IPSRA (IPSEC Remote Access)</A> working group</LI>
13169 <P> Note: some of these may be obsolete, replaced by later drafts or by
13171 <H3><A name="FIPS1">FIPS standards</A></H3>
13172 <P> Some things used by <A href="#IPSEC">IPSEC</A>, such as <A href="#DES">
13173 DES</A> and <A href="#SHA">SHA</A>, are defined by US government
13174 standards called <A href="#FIPS">FIPS</A>. The issuing organisation, <A href="#NIST">
13175 NIST</A>, have a <A href="http://www.itl.nist.gov/div897/pubs">FIPS
13176 home page</A>. </P>
13177 <H3><A name="doc.cd">Document CDs</A></H3>
13178 <P> At least one vendor sells CD-ROMs of RFCs and Internet Drafts: </P>
13180 <LI><A href="http://www.cdrom.com/titles/educate/inet.phtml">Walnut
13181 Creek CDROM</A></LI>
13183 <P> Note: The 2401-2412 group of IPSEC RFCs were issued in late
13184 November 1998, and the 2535-2539 group on Secure DNS in March 1999, so
13185 an older CD may not be particularly useful if these areas are your main
13187 <H2><A name="RFCs.tar.gz">What's in the RFCs.tar.gz bundle?</A></H2>
13188 <P> All filenames are of the form rfc*.txt, with the * replaced with
13189 the RFC number. </P>
13193 <H3><A name="rfc.ov">Overview RFCs</A></H3>
13195 2401 Security Architecture for the Internet Protocol
13196 2411 IP Security Document Roadmap
13198 <H3><A name="basic.prot">Basic protocols</A></H3>
13200 2402 IP Authentication Header
13201 2406 IP Encapsulating Security Payload (ESP)
13203 <H3><A name="key.ike">Key management</A></H3>
13205 2367 PF_KEY Key Management API, Version 2
13206 2407 The Internet IP Security Domain of Interpretation for ISAKMP
13207 2408 Internet Security Association and Key Management Protocol (ISAKMP)
13208 2409 The Internet Key Exchange (IKE)
13209 2412 The OAKLEY Key Determination Protocol
13210 2528 Internet X.509 Public Key Infrastructure
13212 <H3><A name="rfc.detail">Details of various things used</A></H3>
13214 2085 HMAC-MD5 IP Authentication with Replay Prevention
13215 2104 HMAC: Keyed-Hashing for Message Authentication
13216 2202 Test Cases for HMAC-MD5 and HMAC-SHA-1
13217 2207 RSVP Extensions for IPSEC Data Flows
13218 2403 The Use of HMAC-MD5-96 within ESP and AH
13219 2404 The Use of HMAC-SHA-1-96 within ESP and AH
13220 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV
13221 2410 The NULL Encryption Algorithm and Its Use With IPsec
13222 2451 The ESP CBC-Mode Cipher Algorithms
13223 2521 ICMP Security Failures Messages
13225 <H3><A name="rfc.ref">Older RFCs which may be referenced</A></H3>
13227 1321 The MD5 Message-Digest Algorithm
13228 1828 IP Authentication using Keyed MD5
13229 1829 The ESP DES-CBC Transform
13230 1851 The ESP Triple DES Transform
13231 1852 IP Authentication using Keyed SHA
13233 <H3><A name="rfc.dns">RFCs for secure DNS service, which IPSEC may use</A>
13236 2137 Secure Domain Name System Dynamic Update
13237 2230 Key Exchange Delegation Record for the DNS
13238 2535 Domain Name System Security Extensions
13239 2536 DSA KEYs and SIGs in the Domain Name System (DNS)
13240 2537 RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)
13241 2538 Storing Certificates in the Domain Name System (DNS)
13242 2539 Storage of Diffie-Hellman Keys in the Domain Name System (DNS)
13244 <H3><A name="rfc.exp">RFCs labelled "experimental"</A></H3>
13246 2521 ICMP Security Failures Messages
13247 2522 Photuris: Session-Key Management Protocol
13248 2523 Photuris: Extended Schemes and Attributes
13250 <H3><A name="rfc.rel">Related RFCs</A></H3>
13252 1750 Randomness Recommendations for Security
13253 1918 Address Allocation for Private Internets
13254 1984 IAB and IESG Statement on Cryptographic Technology and the Internet
13255 2144 The CAST-128 Encryption Algorithm
13258 <H1><A NAME="18">FreeS/WAN FAQ</A></H1>
13259 <P> This is a collection of questions and answers, mostly taken from
13260 the FreeS/WAN <A href="mail.html">mailing list</A>. See the project <A href="http://www.freeswan.org/">
13261 web site</A> for more information. All the FreeS/WAN documentation is
13263 <P> Contributions to the FAQ are welcome. Please send them to the
13264 project <A href="mail.html">mailing list</A>.</P>
13266 <H2><A name="questions">Questions</A></H2>
13268 <LI><A href="#whatzit"> What is FreeS/WAN?</A></LI>
13269 <LI><A href="#problems"> How do I report a problem or seek help?</A></LI>
13270 <LI><A href="#generic">Generic questions</A></LI>
13272 <LI><A href="#lemme_out"> This is too complicated. Isn't there an
13273 easier way?</A></LI>
13274 <LI><A href="#commercial"> Can I get commercial support for this
13276 <LI><A href="#modify.faq"> Can I modify FreeS/WAN to ...?</A></LI>
13277 <LI><A href="#contrib.faq"> Can I contribute to the project?</A></LI>
13278 <LI><A href="#ddoc.faq">Is there detailed design documentation?</A></LI>
13279 <LI><A href="#interop.faq"> Can FreeS/WAN talk to ...?</A></LI>
13280 <LI><A href="#old_to_new"> Can different FreeS/WAN versions talk to
13281 each other?</A></LI>
13282 <LI><A href="#versions"> Does FreeS/WAN run on my version of Linux?</A></LI>
13283 <LI><A href="#k.versions"> Does FreeS/WAN run on the latest kernel
13285 <LI><A href="#faq.speed"> Is a ... fast enough to handle FreeS/WAN with
13286 ... connections?</A></LI>
13288 <LI><A href="#compile.faq">Compilation problems</A></LI>
13290 <LI><A href="#gmp.h_missing">gmp.h: No such file or directory</A></LI>
13291 <LI><A href="#noVM">... virtual memory exhausted</A></LI>
13293 <LI><A href="#setup.faq"> Life's little mysteries</A></LI>
13295 <LI><A href="#cantping"> I cannot ping ....</A></LI>
13296 <LI><A href="#forever">It takes forever to ...</A></LI>
13297 <LI><A href="#route"> I send packets to the tunnel with route(8) but
13298 they vanish</A></LI>
13299 <LI><A href="#down_route"> When a tunnel goes down, packets vanish</A></LI>
13300 <LI><A href="#firewall_ate">The firewall ate my packets!</A></LI>
13301 <LI><A href="#dropconn">Dropped connections</A></LI>
13302 <LI><A href="#tcpdump"> TCPdump on the gateway shows strange things</A></LI>
13303 <LI><A href="#no_trace"> Traceroute does not show anything between the
13306 <LI><A href="#man4debug">Testing in stages</A></LI>
13308 <LI><A href="#nomanual">Manually keyed connections don't work</A></LI>
13309 <LI><A href="#spi_error">One manual connection works, but second one
13311 <LI><A href="#man_no_auto"> Manual connections work, but automatic
13312 keying doesn't</A></LI>
13313 <LI><A href="#nocomp"> IPSEC works, but connections using compression
13315 <LI><A href="#pmtu.broken"> Small packets work, but large transfers fail</A>
13317 <LI><A href="#subsub">Subnet-to-subnet works, but tests from the
13318 gateways don't</A></LI>
13320 <LI><A href="#error"> Interpreting error messages</A></LI>
13322 <LI><A href="#unreachable">SIOCADDRT:Network is unreachable</A></LI>
13323 <LI><A href="#noKLIPS">ipsec_setup: Fatal error, kernel appears to lack
13325 <LI><A href="#noDNS">ipsec_setup: ... failure to fetch key for ... from
13327 <LI><A href="#dup_address">ipsec_setup: ... interfaces ... and ...
13328 share address ...</A></LI>
13329 <LI><A href="#kflags"> ipsec_setup: Cannot adjust kernel flags</A></LI>
13330 <LI><A href="#conn_name">Connection names in Pluto error messages</A></LI>
13331 <LI><A href="#cantorient">Pluto: ... can't orient connection</A></LI>
13332 <LI><A href="#noconn"> Pluto: ... no connection is known</A></LI>
13333 <LI><A href="#nosuit"> Pluto: ... no suitable connection ...</A></LI>
13334 <LI><A href="#noconn.auth"> Pluto: ... no connection has been authorized</A>
13336 <LI><A href="#noDESsupport"> Pluto: ... OAKLEY_DES_CBC is not supported.</A>
13338 <LI><A href="#notransform"> Pluto: ... no acceptable transform</A></LI>
13339 <LI><A href="#econnrefused">ECONNREFUSED error message</A></LI>
13340 <LI><A href="#no_eroute"> klips_debug: ... no eroute!</A></LI>
13341 <LI><A href="#SAused"> ... trouble writing to /dev/ipsec ... SA already
13343 <LI><A href="#ignore"> ... ignoring ... payload</A></LI>
13345 <LI><A href="#canI">Can I ...</A></LI>
13347 <LI><A href="#reload">Can I reload connection info without restarting?</A>
13349 <LI><A href="#masq.faq">Can I use several masqueraded subnets?</A></LI>
13350 <LI><A href="#dup_route">Can I use subnets masqueraded to the same
13351 addresses?</A></LI>
13352 <LI><A href="#road.masq">Can I assign a road warrior an address on my
13354 <LI><A href="#QoS">Can I use Quality of Service routing with FreeS/WAN?</A>
13356 <LI><A href="#deadtunnel">Can I recognise dead tunnels and shut them
13358 <LI><A href="#demanddial">Can I build IPSEC tunnels over a
13359 demand-dialed link?</A></LI>
13360 <LI><A href="#GRE">Can I build GRE tunnels over IPSEC?</A></LI>
13361 <LI><A href="#PKIcert"> Does FreeS/WAN support X.509 or other PKI
13362 certificates?</A></LI>
13363 <LI><A href="#Radius"> Does FreeS/WAN support Radius or other user
13364 authentication?</A></LI>
13365 <LI><A href="#noDES.faq"> Does FreeS/WAN support single DES encryption?</A>
13368 <LI><A href="#spam">Why don't you restrict the mailing lists to reduce
13372 <H2><A name="whatzit"> What is FreeS/WAN?</A></H2>
13373 FreeS/WAN is a Linux implementation of the <A href="#IPSEC">IPSEC</A>
13374 protocols, providing security services at the IP (Internet Protocol)
13375 level of the network.
13376 <P> For more detail, see our <A href="intro.html">introduction</A>
13377 document or the FreeS/WAN project <A href="http://www.freeswan.org/">
13379 <H2><A name="problems">How do I report a problem or seek help?</A></H2>
13380 See our <A href="prob.report">problem reporting</A> document.
13381 Basically, what it says is <STRONG>give us the output from <NOBR><VAR>
13382 ipsec barf</VAR></NOBR> from both gateways</STRONG>. Without full
13383 information, we cannot diagnose a problem. However, <NOBR><VAR>ipsec
13384 barf</VAR></NOBR> produces a lot of output. If at all possible, <STRONG>
13385 please make barfs accessible via the web or FTP</STRONG> rather than
13386 sending enormous mail messages.
13387 <P><STRONG> Use the <A href="mail.html">mailing list</A> for problem
13388 reports</STRONG>, rather than mailing developers directly. This gives
13389 you access to more expertise, including users who may have encountered
13390 and solved the same problems. In particular, for problems involving <A href="interop.html">
13391 interoperation</A> with another IPSEC implementation, the users often
13392 know more than the developers. </P>
13393 <P> Using the list may also be important in relation to various <A href="#exlaw">
13394 cryptography export laws</A>. A US citizen who provides technical
13395 assistance to foreign cryptographic work might be charged under the
13396 arms export regulations. Such a charge would be easier to defend if the
13397 discussion took place on a public mailing list than if it were done in
13399 <H2><A name="generic">Generic questions</A></H2>
13400 <H3><A name="lemme_out">This is too complicated. Isn't there an easier
13402 There are a number of Linux distributions or firewall products which
13403 include FreeS/WAN. See this <A href="#products">list</A>. Using one of
13404 these, chosen to match your requirements and budget, may save you
13405 considerable time and effort. (If you don't know your requirements,
13406 start by reading Schneier's <A href="#secrets">Secrets and Lies</A>.
13407 That gives the best overview of security issues I have seen.)
13408 <P> If you want the help of a contractor, or to hire staff with
13409 FreeS/WAN expertise, you could: </P>
13411 <LI>check availability in your area through your local Linux User Group
13412 (<A href="http://www.linux.com/lug/">LUG Index</A>) </LI>
13413 <LI>try asking on our <A href="mail.html">mailing list</A></LI>
13415 <P> For companies offerring support, see the next question. </P>
13416 <H3><A name="commercial">Can I get commercial support for this product?</A>
13418 Many of the distributions or firewall products which include FreeS/WAN
13419 (see this <A href="#products">list</A>) come with commercial support or
13420 have it available as an option.
13421 <P> Various companies specialize in commercial support of open source
13422 software. Our project leader was a founder of the first such company,
13423 Cygnus Support. It has since been bought by <A href="http://www.redhat.com">
13424 Redhat</A>. Another such firm is <A href="http://www.linuxcare.com">
13425 Linuxcare</A>. </P>
13426 <H3><A name="modify.faq">Can I modify FreeS/WAN to ...?</A></H3>
13427 You are free to modify FreeS/WAN in any way. See the discussion of <A href="#licensing">
13428 licensing</A> in our introduction document.
13429 <H3><A name="contrib.faq">Can I contribute to the project?</A></H3>
13430 In general, we welcome contributions from the community. Various
13431 contributed patches, either to fix bugs or to add features, have been
13432 incorporated into our distribution. Other patches, not yet included in
13433 the distribution, are listed in our <A href="#patch">web links</A>
13435 <P> Users have also contributed heavily to documentation, both by
13436 creating their own <A href="#howto">HowTos</A> and by posting things on
13437 the <A href="mail.html">mailing lists</A> which I have quoted in these
13439 <P> There are, however, some caveats. </P>
13440 <P> FreeS/WAN is being implemented in Canada, by Canadians, largely to
13441 ensure that is it is entirely free of export restrictions. See this <A href="#status">
13442 discussion</A>. We <STRONG>cannot accept code contributions from US
13443 residents or citizens</STRONG>, not even one-line bugs fixes. The
13444 reasons for this were recently discussed extensively on the mailing
13445 list, in a thread starting <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2001/01/msg00111.html">
13447 <P> Not all contributions are of interest to us. The project has a set
13448 of fairly ambitious and quite specific goals, described in our <A href="#goals">
13449 introduction</A>. Contributions that lead toward these goals are likely
13450 to be welcomed enthusiastically. Other contributions may be seen as
13451 lower priority, or even as a distraction. </P>
13452 <H3><A name="ddoc.faq">Is there detailed design documentation?</A></H3>
13455 <LI><A href="RFC.html">RFCs</A> specifying the protocols we implement </LI>
13456 <LI><A href="manpages.html">man pages</A> for our utilities, library
13457 functions and file formats </LI>
13458 <LI>comments in the source code </LI>
13459 <LI><A href="index.html">HTML documentation</A> written primarily for
13461 <LI>archived discussions from the <A href="mail.html">mailing lists</A></LI>
13462 <LI>other papers mentioned in our <A href="#applied">introduction</A></LI>
13464 The only formal design documents are a few papers in the last category
13465 above. All the other categories, however, have things to say about
13467 <H3><A name="interop.faq">Can FreeS/WAN talk to ...?</A></H3>
13468 The IPSEC protocols are designed to support interoperation. In theory,
13469 any two IPSEC implementations should be able to talk to each other.
13470 <P> In practice, it is considerably more complex. We have a whole <A href="interop.html">
13471 interop document</A> devoted to it. </P>
13472 <H3><A name="old_to_new">Can different FreeS/WAN versions talk to each
13474 Linux FreeS/WAN can interoperate with many IPSEC implementations,
13475 including earlier versions of Linux FreeS/WAN itself.
13476 <P> In general, new versions will use existing configuration files, at
13477 least until the next major version number change. For example, 1.8 can
13478 use files created for 1.7, 1.6, even back to 1.0, but not from 0.92.
13479 This behaviour will continue until we release 2.0. </P>
13480 <P> As of 1.8, however, conf file checking has become stricter, so that
13481 an error that may have slipped past the checks in an earlier version
13482 may be caught in a later one. From 1.8's doc/CHANGES: </P>
13484 The internal configuration-file reader is progressively getting
13485 fussier about what it will accept, which may cause problems for
13486 illegal ipsec.conf files whose sins previously passed unnoticed.
13487 IN PARTICULAR, the "auto" parameter's values are now checked for
13488 legality everywhere.
13490 <H3><A name="versions">Does FreeS/WAN run on my version of Linux?</A></H3>
13491 We build and test on Redhat distributions, but FreeS/WAN runs just
13492 fine on several other distributions, sometimes with minor fiddles to
13493 adapt to the local environment. Details are in our <A href="#otherdist">
13494 compatibility</A> document. Also, some distributions or products come
13495 with <A href="#products">FreeS/WAN included</A>.
13496 <P> FreeS/WAN is <STRONG>intended to run on all CPUs Linux supports</STRONG>
13497 . As of June 2000, we know of it being used in production on x86, ARM,
13498 Alpha and MIPS. It has also had successful tests on PPC and SPARC,
13499 though we don't know of actual use there. Details are in our <A href="#CPUs">
13500 compatibility</A> document. </P>
13501 <P> FreeS/WAN has been tested on multiprocessor Intel Linux and worked
13502 there. Note, however, that we do not test this often and have never
13503 tested on multiprocessor machines of other architectures. </P>
13504 <H3><A name="k.versions">Does FreeS/WAN run on the latest kernel
13506 Sometimes yes, but quite often, no.
13507 <P> Released versions of FreeS/WAN run on whatever production kernels
13508 were current at the time of our release (or shortly before; we might
13509 release for kernel <VAR>n</VAR> just as Linus releases <VAR>n+1</VAR>).
13510 For example, FreeS/WAN 1.91 runs on kernel 2.2.19 or 2.4.5. Often they
13511 will run on slightly earlier or later kernels as well, but we test on
13512 the current production kernels, so those are strongly recommended. </P>
13513 <P> The kernel is under active development and it is not uncommon for
13514 changes to appear that cause problems for FreeS/WAN. For example, 2.4.6
13515 or 2.4.7 may have changes that break FreeS/WAN 1.91. Or not; you can't
13516 tell in advance. When such changes appear, we put a fix in the
13517 FreeS/WAN snapshots, and distribute it with our next release. </P>
13518 <P> However, this is not a high priority for us, and it may take
13519 anything from a few days to several weeks for such a problem to find
13520 its way to the top of our kernel programmer's To-Do list. In the
13521 meanwhile, you have two choices: </P>
13523 <LI>either stick with a slightly older kernel, even if it is not the
13524 latest and greatest. This is recommended for production systems; new
13525 versions may have new bugs. </LI>
13526 <LI>or fix the problem yourself and send us a patch, via the <A href="mail.html">
13527 Users mailing list</A>. </LI>
13529 We don't even try to keep up with kernel changes outside the main 2.2
13530 and 2.4 branches, such as the 2.4.x-ac patched versions from Alan Cox
13531 or (when they appear) the 2.5 series of development kernels. We'd
13532 rather work on developing the FreeS/WAN code than on chasing these
13533 moving targets. We are, however, happy to get patches for problems
13535 <P> See also the <A href="#choosek">Choosing a kernel</A> section of
13536 our installation document. </P>
13537 <H3><A name="faq.speed">Is a ... fast enough to handle FreeS/WAN with
13538 ... connections?</A></H3>
13539 Certainly FreeS/WAN can run happily on limited machines. Very roughly:
13541 <LI>a 486 machines can handle a T1, ADSL or cable link (but the machine
13542 may be breathing hard) </LI>
13543 <LI>a current (mid-2001) technology PC can easily handle at least a 10
13544 Mbit/second link </LI>
13546 Beyond that, the picture is not clear. Much depends on details of your
13547 network, your traffic, and other loads on both machine and net.
13548 <P> See our <A href="performance.html">FreeS/WAN performance</A>
13549 document and our discussion of <A href="#biggate">many tunnels for one
13550 gateway</A> for more detail. </P>
13551 <H2><A name="compile.faq">Compilation problems</A></H2>
13552 <H3><A name="gmp.h_missing">gmp.h: No such file or directory</A></H3>
13553 Pluto needs the GMP (<STRONG>G</STRONG>NU <STRONG>M</STRONG>ulti-<STRONG>
13554 P</STRONG>recision) library for the large integer calculations it uses
13555 in <A href="#public"> public key</A> cryptography. This error message
13556 indicates a failure to find the library. You must install it before
13557 Pluto will compile.
13558 <P> The GMP library is included in most Linux distributions. Typically,
13559 there are two RPMs, libgmp and libgmp-devel, You need to <EM>install
13560 both</EM>, either from your distribution CDs or from your vendor's web
13562 <P> On Debian, a mailing list message reports that the command to give
13563 is <NOBR><VAR>apt-get install gmp2</VAR></NOBR>. </P>
13564 <P> For more information and the latest version, see the <A href="http://www.swox.com/gmp/">
13565 GMP home page</A>. </P>
13566 <H3><A name="noVM">... virtual memory exhausted</A></H3>
13567 We have had several reports of this message appearing, all on SPARC
13568 Linux. Here is a mailing message on a solution:
13570 > ipsec_sha1.c: In function `SHA1Transform':
13571 > ipsec_sha1.c:95: virtual memory exhausted
13573 I'm seeing exactly the same problem on an Ultra with 256MB ram and 500
13574 MB swap. Except I am compiling version 1.5 and its Red Hat 6.2.
13576 I can get around this by using -O instead of -O2 for the optimization
13577 level. So it is probably a bug in the optimizer on the sparc complier.
13578 I'll try and chase this down on the sparc lists.
13580 <H2><A name="setup.faq">Life's little mysteries</A></H2>
13581 FreeS/WAN is a fairly complex product. (Neither the networks it runs
13582 on nor the protocols it uses are simple, so it could hardly be
13583 otherwise.) It therefore sometimes exhibits behaviour which can be
13584 somewhat confusing, or has problems which are not easy to diagnose.
13585 This section tries to explain those problems.
13586 <P> Setup and configuration of FreeS/WAN are covered in other
13587 documentation sections: </P>
13589 <LI><A href="install.html"> Installation</A></LI>
13590 <LI><A href="config.html"> Configuration</A></LI>
13591 <LI><A href="trouble.html"> Troubleshooting</A></LI>
13593 <P> However, we also list some of the commonest problems here. </P>
13594 <H3><A name="cantping">I cannot ping ....</A></H3>
13595 This question is dealt with in the configuration section under the
13596 heading <A href="#multitunnel">multiple tunnels</A>.
13597 <P> The standard subnet-to-subnet tunnel protects traffic <STRONG>only
13598 between the subnets</STRONG>. To test it, you must use pings that go
13599 from one subnet to the other. </P>
13600 <P> For example, suppose you have: </P>
13620 <P> and the connection description: </P>
13625 leftsubnet=a.b.c.0/24
13627 rightsubnet=x.y.z.0/24
13629 <P> You can test this connection description only by sending a ping
13630 that will actually go through the tunnel. Assuming you have machines at
13631 addresses a.b.c.2 and x.y.z.2, pings you might consider trying are: </P>
13633 <DT> ping from x.y.z.2 to a.b.c.2 or vice versa</DT>
13634 <DD> Succeeds if tunnel is working. This is the <STRONG>only valid test
13635 of the tunnel</STRONG>. </DD>
13636 <DT> ping from gate2 to a.b.c.2 or vice versa</DT>
13637 <DD><STRONG> Does not use tunnel</STRONG>. gate2 is not on protected
13639 <DT> ping from gate1 to x.y.z.2 or vice versa</DT>
13640 <DD><STRONG> Does not use tunnel</STRONG>. gate1 is not on protected
13642 <DT> ping from gate1 to gate2 or vice versa</DT>
13643 <DD><STRONG> Does not use tunnel</STRONG>. Neither gate is on a
13644 protected subnet. </DD>
13646 <P> Only the first of these is a useful test of this tunnel. The others
13647 do not use the tunnel. Depending on other details of your setup and
13648 routing, they: </P>
13650 <LI>either fail, telling you nothing about the tunnel </LI>
13651 <LI>or succeed, telling you nothing about the tunnel since these
13652 packets use some other route </LI>
13654 <P> If required, you can of course build additional tunnels so that all
13655 the machines involved can talk to all the others. See <A href="#multitunnel">
13656 multiple tunnels</A> in the configuration document for details. </P>
13657 <H3><A name="forever">It takes forever to ...</A></H3>
13658 Users fairly often report various problems involving long delays,
13659 sometimes on tunnel setup and sometimes on operations done through the
13660 tunnel, occasionally on simple things like ping or more often on more
13661 complex operations like doing NFS or Samba through the tunnel.
13662 <P> Almost always, these turn out to involve failure of a DNS lookup.
13663 The timeouts waiting for DNS are typically set long so that you won't
13664 time out when a query involves multiple lookups or long paths. Genuine
13665 failures therefore produce long delays before they are detected. </P>
13666 <P> A mailing list message from project technical lead Henry Spencer: </P>
13668 > ... when i run /etc/rc.d/init.d/ipsec start, i get:
13669 > ipsec_setup: Starting FreeS/WAN IPSEC 1.5...
13670 > and it just sits there, doesn't give back my bash prompt.
13672 Almost certainly, the problem is that you're using DNS names in your
13673 ipsec.conf, but DNS lookups are not working for some reason. You will
13674 get your prompt back... eventually. But the DNS timeouts are long.
13675 Doing something about this is on our list, but it is not easy.
13677 <P> In the meanwhile, we recommend that connection descriptions in <A href="manpage.d/ipsec.conf.5.html">
13678 ipsec.conf(5)</A> use numeric IP addresses rather than names which will
13679 require a DNS lookup. </P>
13680 <P> Names that do not require a lookup are fine. For example: </P>
13682 <LI>a road warrior might use the identity <VAR>
13683 rightid=@lancelot.example.org</VAR></LI>
13684 <LI>the gateway might use <VAR>leftid=@camelot.example.org</VAR></LI>
13686 <P> These are fine. The @ sign prevents any DNS lookup. However, do not
13687 attempt to give the gateway address as <VAR>left=camelot.example.org</VAR>
13688 . That requires a lookup. </P>
13689 <P> A post from one user after solving a problem with long delays: </P>
13691 Subject: Final Answer to Delay!!!
13692 Date: Mon, 19 Feb 2001
13693 From: "Felippe Solutions" <felippe@solutionstecnologia.com.br>
13695 Sorry people, but seems like the Delay problem had nothing to do with
13698 The problem was DNS as some people sad from the beginning, but not the way
13699 they thought it was happening. Samba, ssh, telnet and other apps try to
13700 reverse lookup addresses when you use IP numbers (Stupid that ahh).
13702 I could ping very fast because I always ping with "-n" option, but I don't
13703 know the option on the other apps to stop reverse addressing so I don't use
13706 This post is fairly typical. These problems are often tricky and
13707 frustrating to diagnose, and most turn out to be DNS-related.
13708 <P> One suggestion for diagnosis: test with both names and addresses if
13709 possible. For example, try all of: </P>
13711 <LI>ping <VAR>address</VAR></LI>
13712 <LI>ping -n <VAR>address</VAR></LI>
13713 <LI>ping <VAR>name</VAR></LI>
13715 <P> If these behave differently, the problem must be DNS-related since
13716 the three commands do exactly the same thing except for DNS lookups. </P>
13717 <H3><A name="route">I send packets to the tunnel with route(8) but they
13719 IPSEC connections are designed to carry only packets travelling
13720 between pre-defined connection endpoints. As project technical lead
13721 Henry Spencer put it: <BLOCKQUOTE> IPsec tunnels are not just virtual
13722 wires; they are virtual wires with built-in access controls.
13723 Negotiation of an IPsec tunnel includes negotiation of access rights
13724 for it, which don't include packets to/from other IP addresses. (The
13725 protocols themselves are quite inflexible about this, so there are
13726 limits to what we can do about it.) </BLOCKQUOTE> For fairly obvious
13727 security reasons, and to comply with the IPSEC RFCs, <A href="#KLIPS">
13728 KLIPS</A> drops any packets it receives that are not allowed on the
13729 tunnels currently defined. So if you send it packets with <VAR>route(8)</VAR>
13730 , and suitable tunnels are not defined, the packets vanish. Whether
13731 this is reported in the logs depends on the setting of <VAR>klipsdebug</VAR>
13732 in your <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A> file.
13733 <P> To rescue vanishing packets, you must ensure that suitable tunnels
13734 for them exist, by editing the connection descriptions in <A href="manpage.d/ipsec.conf.5.html">
13735 ipsec.conf(5)</A>. For example, supposing you have a simple setup: </P>
13737 leftsubnet -- leftgateway === internet === roadwarrior
13739 If you want to give the roadwarrior access to some resource that is
13740 located behind the left gateway but is not in the currently defined
13741 left subnet, then the usual procedure is to define an additional tunnel
13742 for those packets by creating a new connection description.
13743 <P> In some cases, it may be easier to alter an existing connection
13744 description, enlarging the definition of <VAR>leftsubnet</VAR>. For
13745 example, instead of two connection descriptions with 192.168.8.0/24 and
13746 192.168.9.0/24 as their <VAR>leftsubnet</VAR> parameters, you can use a
13747 single description with 192.168.8.0/23. </P>
13748 <P> If you have multiple endpoints on each side, you need to ensure
13749 that there is a route for each pair of endpoints. See our <A href="#multitunnel">
13750 configuration</A> document for an example. </P>
13751 <H3><A name="down_route">When a tunnel goes down, packets vanish</A></H3>
13752 This is a special case of the vanishing packet problem described in
13753 the previous question. Whenever KLIPS sees packets for which it does
13754 not have a tunnel, it drops them.
13755 <P> When a tunnel goes away, either because negotiations with the other
13756 gateway failed or because you gave an <NOBR><VAR>ipsec auto --down</VAR></NOBR>
13757 command, the route to its other end is left pointing into KLIPS, and
13758 KLIPS will drop packets it has no tunnel for. </P>
13759 <P> This is a documented design decision, not a bug. FreeS/WAN must not
13760 automatically adjust things to send packets via another route. The
13761 other route might be insecure. </P>
13762 <P> Of course, re-routing may be necessary in many cases. In those
13763 cases, you have to do it manually or via scripts. We provide the <NOBR><VAR>
13764 ipsec auto --unroute</VAR></NOBR> command for these cases. </P>
13765 <P> From <A href="manpage.d/ipsec_auto.8.html">ipsec_auto(8)</A>: <BLOCKQUOTE>
13766 Normally, pluto establishes a route to the destination specified
13767 for a connection as part of the --up operation. However, the route
13768 and only the route can be established with the --route operation.
13769 Until and unless an actual connection is established, this
13770 discards any packets sent there, which may be preferable to having
13771 them sent elsewhere based on a more general route (e.g., a
13772 default route). </BLOCKQUOTE><BLOCKQUOTE> Normally, pluto's route to a
13773 destination remains in place when a --down operation is used to
13774 take the connection down (or if connection setup, or later automatic
13775 rekeying, fails). This permits establishing a new connection (perhaps
13776 using a different specification; the route is altered as necessary)
13777 without having a ``window'' in which packets might go elsewhere based
13778 on a more general route. Such a route can be removed using the
13779 --unroute operation (and is implicitly removed by --delete). </BLOCKQUOTE>
13781 <P> See also this mailing list <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00523.html">
13783 <H3><A name="firewall_ate">The firewall ate my packets!</A></H3>
13784 If firewalls filter out:
13786 <LI>either the UDP port 500 packets used in IKE negotiations</LI>
13787 <LI>or the ESP and AH (protocols 50 and 51) packets used to implement
13788 the IPSEC tunnel</LI>
13790 <P> then IPSEC cannot work. The first thing to check if packets seem to
13791 be vanishing is the firewall rules on the two gateway machines and any
13792 other machines along the path that you have access to. </P>
13793 <P> For details, see our document on <A href="firewall.html">firewalls</A>
13795 <H3><A name="dropconn">Dropped connections</A></H3>
13796 <P> Networks being what they are, IPSEC connections can be broken for
13797 any number of reasons, ranging from hardware failures to various
13798 software problems such as the path MTU problems discussed <A href="#pmtu.broken">
13799 elsewhere in the FAQ</A>. Fortunately, various diagnostic tools exist
13800 that help you sort out many of the possible problems.</P>
13801 <P> There is one situation, however, where FreeS/WAN (using default
13802 settings) may destroy a connection for no readily apparent reason. This
13803 occurs when things are <STRONG>misconfigured</STRONG> so that <STRONG>
13804 two tunnels</STRONG> from the same gateway expect <STRONG>the same
13805 subnet on the far end</STRONG>.</P>
13806 <P> In this situation, the first tunnel comes up fine and works until
13807 the second is established. At that point, because of the way we track
13808 connections internally, the first tunnel ceases to exist as far as this
13809 gateway is concerned. Of course the far end does not know that, and a
13810 storm of error messages appears on both systems as it tries to use the
13812 <P> If the far end gives up, goes back to square one and negotiates a
13813 new tunnel, then that wipes out the second tunnel and ...</P>
13814 <P> The solution is simple. <STRONG>Do not build multiple conn
13815 descriptions with the same remote subnet</STRONG>.</P>
13816 <P> This is actually intended to be a feature, rather than a bug.
13817 Consider the situation where a single remote system goes down, then
13818 comes back up and reconnects to the gateway. It is useful to have the
13819 gateway tear down the old tunnel and recover resources when the
13820 reconnection is made. It recognises that situation by checking the
13821 remote subnet for each tunnel it builds and discarding duplicates. This
13822 works fine as long as you don't configure multiple tunnels with the
13823 same remote subnet.</P>
13824 <P> If this behaviour is inconvenient for you, you can disable it by
13825 setting <VAR>uniqueids=no</VAR> in <A href="manpage.d/ipsec.conf.5.html">
13826 ipsec.conf(5)</A>. </P>
13827 <H3><A name="tcpdump.faq">TCPdump on the gateway shows strange things</A>
13829 Attempting to look at IPSEC packets by running monitoring tools on the
13830 IPSEC gateway machine can produce silly results. That machine is
13831 mangling the packets for IPSEC, and possibly for firewall or NAT
13832 purposes as well. If the internals of the machine's IP stack are not
13833 what the monitoring tool expects, then the tool can misinterpret them
13834 and produce nonsense output.
13835 <P> At one point, this problem was quite severe. On more recent
13836 systems, <STRONG>the problem has been solved</STRONG>. The version of
13837 tcpdump shipped with Redhat 6.2, for example, understands IPSEC well
13838 enough to be usable on a gateway. If in doubt about your version of
13839 tcpdump, you can get the latest version from <A href="http://www.tcpdump.org/">
13840 tcpdump.org</A>. </P>
13841 <P> Even if you have a version of tcpdump that works on gateways
13842 however, the most certain way to examine IPSEC packets is to look at
13843 them on the wire. For security, you need to be certain, so we recommend
13844 doing that. To do so, you need a <STRONG>separate sniffer machine
13845 located between the two gateways</STRONG>. This machine can be routing
13846 IPSEC packets, but it must not be an IPSEC gateway. </P>
13847 <P> A common test setup is to put a machine with dual Ethernet cards in
13848 between two gateways under test. The central machine both routes
13849 packets and provides a place to safely run tcpdump or other sniffing
13850 tools. What you end up with looks like: </P>
13851 <H4>Testing network</H4>
13873 <P> With p and q any convenient values that do not interfere with other
13874 routes you may have. The ipsec.conf(5) file then has, among other
13880 leftnexthop=192.168.p.2
13882 rightnexthop=192.168.q.2
13884 Once that works, you can remove the "route/monitor box", and connect
13885 the two gateways to the Internet. The only parameters in ipsec.conf(5)
13886 that need to change are the four shown above. You replace them with
13887 values appropriate for your Internet connection, and change the eth0 IP
13888 addresses and the default routes on both gateways.
13889 <P> Note that nothing on either subnet needs to change. This lets you
13890 test most of your IPSEC setup before connecting to the insecure
13892 <H3><A name="no_trace">Traceroute does not show anything between the
13894 As far as traceroute can see, the two gateways are one hop apart; the
13895 data packet goes directly from one to the other through the tunnel. Of
13896 course the outer packets that implement the tunnel pass through
13897 whatever lies between the gateways, but those packets are built and
13898 dismantled by the gateways. Traceroute does not see them and cannot
13899 report anything about their path.
13900 <P> Here is a mailing list message with more detail. </P>
13902 Date: Mon, 14 May 2001
13903 To: linux-ipsec@freeswan.org
13904 From: "John S. Denker" <jsd@research.att.com<
13905 Subject: Re: traceroute: one virtual hop
13907 At 02:20 PM 5/14/01 -0400, Claudia Schmeing wrote:
13909 >> > A bonus question: traceroute in subnet to subnet enviroment looks like:
13911 >> > traceroute to andris.dmz (172.20.24.10), 30 hops max, 38 byte packets
13912 >> > 1 drama (172.20.1.1) 0.716 ms 0.942 ms 0.434 ms
13913 >> > 2 * * *
13914 >> > 3 andris.dmz (172.20.24.10) 73.576 ms 78.858 ms 79.434 ms
13916 >> > Why aren't there the other hosts which take part in the delivery during
13919 >If there is an ipsec tunnel between GateA and Gate B, this tunnel forms a
13920 >'virtual wire'. When it is tunneled, the original packet becomes an inner
13921 >packet, and new ESP and/or AH headers are added to create an outer packet
13922 >around it. You can see an example of how this is done for AH at
13923 >doc/ipsec.html#AH . For ESP it is similar.
13925 >Think about the packet's path from the inner packet's perspective.
13926 >It leaves the subnet, goes into the tunnel, and re-emerges in the second
13927 >subnet. This perspective is also the only one available to the
13928 >'traceroute' command when the IPSec tunnel is up.
13930 Claudia got this exactly right. Let me just expand on a couple of points:
13932 *) GateB is exactly one (virtual) hop away from GateA. This is how it
13933 would be if there were a physically private wire from A to B. The
13934 virtually private connection should work the same, and it does.
13936 *) While the information is in transit from GateA to GateB, the hop count
13937 of the outer header (the "envelope") is being decremented. The hop count
13938 of the inner header (the "contents" of the envelope) is not decremented and
13939 should not be decremented. The hop count of the outer header is not
13940 derived from and should not be derived from the hop count of the inner header.
13942 Indeed, even if the packets did time out in transit along the tunnel, there
13943 would be no way for traceroute to find out what happened. Just as
13944 information cannot leak _out_ of the tunnel to the outside, information
13945 cannot leak _into_ the tunnel from outside, and this includes ICMP messages
13946 from routers along the path.
13948 There are some cases where one might wish for information about what is
13949 happening at the IP layer (below the tunnel layer) -- but the protocol
13950 makes no provision for this. This raises all sorts of conceptual issues.
13951 AFAIK nobody has ever cared enough to really figure out what _should_
13952 happen, let alone implement it and standardize it.
13954 *) I consider the "* * *" to be a slight bug. One might wish for it to be
13955 replaced by "GateB GateB GateB". It has to do with treating host-to-subnet
13956 traffic different from subnet-to-subnet traffic (and other gory details).
13957 I fervently hope KLIPS2 will make this problem go away.
13959 *) If you want to ask questions about the link from GateA to GateB at the
13960 IP level (below the tunnel level), you have to ssh to GateA and launch a
13961 traceroute from there.
13963 <H2><A name="man4debug">Testing in stages</A></H2>
13964 <P> It is often useful in debugging to test things one at a time:</P>
13966 <LI>disable IPSEC entirely, e.g. by turning it off with chkconfig(8),
13967 and make sure routing works</LI>
13968 <LI>Once that works, try a manually keyed connection. This does not
13969 require key negotiation between Pluto and the key daemon on the other
13971 <LI>Once that works, try automatically keyed connections</LI>
13972 <LI>Once IPSEC works, add packet compression</LI>
13973 <LI>Once everything seems to work, try stress tests with large
13974 transfers, many connections, frequent re-keying, ... </LI>
13976 <P> FreeS/WAN releases are tested for all of these, so you can be
13977 reasonably certain they <EM>can</EM> do them all. Of course, that does
13978 not mean they <EM>will</EM> on the first try, especially if you have
13979 some unusual configuration. </P>
13980 <P> The rest of this section gives information on diagnosing the
13981 problem when each of the above steps fails. </P>
13982 <H3><A name="nomanual">Manually keyed connections don't work</A></H3>
13983 <P>Suspect one of:</P>
13985 <LI>mis-configuration of IPSEC system in the /etc/ipsec.conf file
13986 <BR> e.g. incorrect interface or next hop information</LI>
13987 <LI>mis-configuration of manual connection in the /etc/ipsec.conf file</LI>
13988 <LI>routing problems causing IPSEC packets to be lost</LI>
13989 <LI>bugs in KLIPS</LI>
13990 <LI>mismatch between the transforms we support and those another IPSEC
13991 implementation offers.</LI>
13993 <H3><A name="spi_error">One manual connection works, but second one
13995 This is fairly common problem when attempting to configure multiple
13996 manually keyed connections from a single gateway.
13997 <P> Each connection must be identified by a unique <A href="#SPI">SPI</A>
13998 value. For automatic connections, these values are assigned
13999 automatically. For manual connections, you must set them with <VAR>spi=</VAR>
14000 statements in <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>. </P>
14001 <P> Each manual connection must have a unique SPI value in the range
14002 0x100 to 0x999. Two or more with the same value will fail. For details,
14003 see our HTML doc section <A href="#prodman">Using manual keying in
14004 production</A> and the man page <A href="manpage.d/ipsec.conf.5.html">
14005 ipsec.conf(5)</A>. </P>
14006 <H3><A name="man_no_auto">Manual connections work, but automatic keying
14008 The most common reason for this behaviour is a firewall dropping the
14009 UDP port 500 packets used in key negotiation.
14010 <P> Other possibilities:</P>
14012 <LI>mis-configuration of auto connection in the /etc/ipsec.conf file. </LI>
14013 <P>One common configuration error is forgetting that you need <VAR>
14014 auto=add</VAR> to load the connection description on the receiving end
14015 so it recognises the connection when the other end asks for it.</P>
14016 <LI>error in shared secret in /etc/ipsec.secrets</LI>
14017 <LI>one gateway lacks a route to the other so Pluto's UDP packets are
14019 <LI>bugs in Pluto</LI>
14020 <LI>incompatibilities between Pluto's <A href="#IKE">IKE</A>
14021 implementation and the IKE at the other end of the tunnel. </LI>
14022 <P>Some possibile problems are discussed in out <A href="#interop.problem">
14023 interoperation</A> document.</P>
14025 <H3><A name="nocomp">IPSEC works, but connections using compression fail</A>
14029 <LI>(especially if small packets are OK, but large ones fail)
14030 compatibility issues with other implementations. We follow the RFCs
14031 and omit some extra material that many compression libraries add by
14032 default. Others may have the extras left in.</LI>
14033 <LI>bugs in the FreeS/WAN IPComp code, which is new for 1.6 and not yet
14034 heavily tested</LI>
14036 <H3><A name="pmtu.broken">Small packets work, but large transfers fail</A>
14038 <P> If tests with ping(1) and a small packet size succeed, but tests or
14039 transfers with larger packet sizes fail, suspect problems with <A href="#pathMTU">
14040 path MTU discovery</A>.</P>
14041 <P> IPSEC makes packets larger by adding an ESP or AH header. This can
14042 tickle assorted bugs in path MTU discovery mechanisms and cause a
14043 variety of annoying symptoms. Here is one example of a discussion of
14044 this problem off the mailing list:</P>
14046 Date: Mon, 3 Apr 2000
14047 From: "Michael H. Warfield" <mhw@wittsend.com>
14051 > Chris> It appears that the Osicom router discards IP
14052 > Chris> fragments...
14054 > Amazing. A device that discards fragments isn't a router, it's at
14055 > best a boat anchor.
14057 It may not be exactly what it appears. I ran into a similar problem
14058 with an ISDN link a while ago giving similar symptoms. Turned out that
14059 the device was negotiating an MTU that it really couldn't handle and the
14060 device in front of it (a Linux box with always defragment enabled) was
14061 defragmenting the huge IPSec datagrams and then refragmenting them into
14062 hunks that the ISDN PPP thought it could handle but couldn't. Problem was
14063 solved by manually capping the MTU on the ISDN link to a smaller value.
14065 I gave the FreeSwan guys a hard time until tracking it down since
14066 FreeSwan was the only thing that appeared to be able to tickle the bug.
14067 Nothing else seemed to be broken. What it really was that MTU discovery
14068 was avoiding the problem on normal links and it was only the IPSEC tunnels
14069 that were creating huge datagrams that went through the defragment/refragment
14072 Point here is that it "appeared" as though the ISDN link was
14073 failing to handle fragments when it was really a configuration error and
14074 a software bug resulting in a bad MTU that was really the culprit. So
14075 it may not be that the router is not handling fragments. It may be that
14076 it's missconfigured or has some other bug that only FreeSwan is tripping
14079 <H3><A name="subsub">Subnet-to-subnet works, but tests from the
14080 gateways don't</A></H3>
14081 This is described under <A href="#cantping">I cannot ping...</A>
14083 <H2><A name="error">Interpreting error messages</A></H2>
14084 <H3><A name="unreachable">SIOCADDRT:Network is unreachable</A></H3>
14085 This message is not from FreeS/WAN, but from the Linux IP stack
14086 itself. That stack is seeing packets it has no route for, either
14087 because your routing was broken before FreeS/WAN started or because
14088 FreeS/WAN's changes broke it.
14089 <P> Here is a message from FreeS/WAN "listress" (mailing list tech
14090 support person) Claudia Schmeing suggesting ways to diagnose and fix
14091 such problems: </P>
14094 > I have correctly installed freeswan-1.8 on RH7.0 kernel 2.2.17, but when
14095 > I setup a VPN connection with the other machine(RH5.2 Kernel 2.0.36
14096 > freeswan-1.0, it works well.) it told me that
14097 > "SIOCADDRT:Network is unreachable"! But the network connection is no
14100 Often this error is the result of a misconfiguration.
14102 Be sure that you can route successfully in the absence of Linux
14103 FreeS/WAN. (You say this is no problem, so proceed to the next step.)
14105 Use a custom copy of the default updownscript. Do not change the route
14106 commands, but add a diagnostic message revealing the exact text of the
14107 route command. Is there a problem with the sense of the route command
14108 that you can see? If so, then re-examine those ipsec.conf settings
14109 that are being sent to the route command.
14111 You may wish to use the ipsec auto --route and --unroute commands to
14112 troubleshoot the problem. See man ipsec_auto for details.
14114 Since the above message was written, we have modified the updown
14115 script to provide a better diagnostic for this problem. Check <VAR>
14116 /var/log/messages</VAR>.
14117 <H3><A name="noKLIPS">ipsec_setup: Fatal error, kernel appears to lack
14119 This message indicates an installation failure. The kernel you are
14120 running does not contain the KLIPS (kernel IPSEC) code.
14121 <P> Commands you can quickly try are: </P>
14123 <DT><VAR>uname -a</VAR></DT>
14124 <DD>to get details, including compilation date and time, of the
14125 currently running kernel </DD>
14126 <DT><VAR>ls /</VAR></DT>
14127 <DT><VAR>ls /boot</VAR></DT>
14128 <DD>to ensure a new kernel is where it should be. If kernel compilation
14129 puts it in <VAR>/</VAR> but <VAR>lilo</VAR> wants it in <VAR>/boot</VAR>
14130 , then you should uncomment the <VAR>INSTALL_PATH=/boot</VAR> line in
14131 the kernel <VAR>Makefile</VAR>. </DD>
14132 <DT><VAR>more /etc/lilo.conf</VAR></DT>
14133 <DD>to see that <VAR>lilo</VAR> has correct information </DD>
14134 <DT><VAR>lilo</VAR></DT>
14135 <DD>to ensure that information in <VAR>/etc/lilo.conf</VAR> has been
14136 transferred to the boot sector </DD>
14138 If those don't find the problem, you have to go back and check through
14139 the <A href="install.html">install</A> procedure to see what was
14141 <P> Here is one of Claudia's messages on the topic: </P>
14143 > I tried to install freeswan 1.8 on my mandrake 7.2 test box. ...
14145 > It does show version and some output for whack.
14147 Yes, because the Pluto (daemon) part of ipsec is installed correctly, but
14148 as we see below the kernel portion is not.
14150 > However, I get the following from /var/log/messages:
14152 > Mar 11 22:11:55 pavillion ipsec_setup: Starting FreeS/WAN IPSEC 1.8...
14153 > Mar 11 22:12:02 pavillion ipsec_setup: modprobe: Can't locate module ipsec
14154 > Mar 11 22:12:02 pavillion ipsec_setup: Fatal error, kernel appears to lack
14157 This is your problem. You have not successfully installed a kernel with
14158 IPSec machinery in it.
14160 Did you build Linux FreeS/WAN as a module? If so, you need to ensure that
14161 your new module has been installed in the directory where your kernel
14162 loader normally finds your modules. If not, you need to ensure
14163 that the new IPSec-enabled kernel is being loaded correctly.
14165 See also doc/install.html, and INSTALL in the distro.
14167 <H3><A name="noDNS">ipsec_setup: ... failure to fetch key for ... from
14171 Note that by default, FreeS/WAN is now set up to
14172 (a) authenticate with RSA keys, and
14173 (b) fetch the public key of the far end from DNS.
14174 Explicit attention to ipsec.conf will be needed if you want
14175 to do something different.
14177 and Claudia, responding to the same user:
14181 > My current setup in ipsec.conf is leftrsasigkey=%dns I have
14182 > commented this and authby=rsasig out. I am able to get ipsec running,
14183 > but what I find is that the documentation only specifies for %dns are
14184 > there any other values that can be placed in this variable other than
14185 > %dns and the key? I am also assuming that this is where I would place
14186 > my public key for the left and right side as well is this correct?
14188 Valid values for authby= are rsasig and secret, which entail authentication
14189 by RSA signature or by shared secret, respectively. Because you have
14190 commented authby=rsasig out, you are using the default value of authby=secret.
14192 When using RSA signatures, there are two ways to get the public key for the
14193 IPSec peer: either copy it directly into *rsasigkey= in ipsec.conf, or
14194 fetch it from dns. The magic value %dns for *rsasigkey parameters says to
14195 try to fetch the peer's key from dns.
14197 For any parameters, you may find their significance and special values in
14198 man ipsec.conf. If you are setting up keys or secrets, be sure also to
14199 reference man ipsec.secrets.
14201 <H3><A name="dup_address">ipsec_setup: ... interfaces ... and ... share
14202 address ...</A></H3>
14203 This is a fatal error. FreeS/WAN cannot cope with two or more
14204 interfaces using the same IP address. You must re-configure to avoid
14206 <P> A mailing list message on the topic from Pluto developer Hugh
14209 | I'm trying to get freeswan working between two machine where one has a ppp
14211 | I've already suceeded with two machines with ethernet ports but the ppp
14212 | interface is causing me problems.
14213 | basically when I run ipsec start i get
14214 | ipsec_setup: Starting FreeS/WAN IPSEC 1.7...
14215 | ipsec_setup: 003 IP interfaces ppp1 and ppp0 share address 192.168.0.10!
14216 | ipsec_setup: 003 IP interfaces ppp1 and ppp2 share address 192.168.0.10!
14217 | ipsec_setup: 003 IP interfaces ppp0 and ppp2 share address 192.168.0.10!
14218 | ipsec_setup: 003 no public interfaces found
14220 | followed by lots of cannot work out interface for connection messages
14222 | now I can specify the interface in ipsec.conf to be ppp0 , but this does
14223 | not affect the above behaviour. A quick look in server.c indicates that the
14224 | interfaces value is not used but some sort of raw detect happens.
14226 | I guess I could prevent the formation of the extra ppp interfaces or
14227 | allocate them different ip but I'd rather not. if at all possible. Any
14228 | suggestions please.
14230 Pluto won't touch an interface that shares an IP address with another.
14231 This will eventually change, but it probably won't happen soon.
14233 For now, you will have to give the ppp1 and ppp2 different addresses.
14235 <H3><A name="kflags">ipsec_setup: Cannot adjust kernel flags</A></H3>
14236 A mailing list message form technical lead Henry Spencer:
14238 > When FreeS/WAN IPSEC 1.7 is starting on my 2.0.38 Linux kernel the following
14239 > error message is generated:
14240 > ipsec_setup: Cannot adjust kernel flags, no /proc/sys/net/ipsec directory!
14241 > What is supposed to create this directory and how can I fix this problem?
14243 I think that directory is a 2.2ism, although I'm not certain (I don't have
14244 a 2.0.xx system handy any more for testing). Without it, some of the
14245 ipsec.conf config-setup flags won't work, but otherwise things should
14248 You also need to enable the <VAR>/proc</VAR> filesystem in your kernel
14249 configuration for these operations to work.
14250 <H3><A name="conn_name">Connection names in Pluto error messages</A></H3>
14251 <P> From Pluto programmer Hugh Redelmeier:</P>
14253 | Jan 17 16:21:10 remus Pluto[13631]: "jumble" #1: responding to Main Mode from Road Warrior 130.205.82.46
14254 | Jan 17 16:21:11 remus Pluto[13631]: "jumble" #1: no suitable connection for peer @banshee.wittsend.com
14256 | The connection "jumble" has nothing to do with the incoming
14257 | connection requests, which were meant for the connection "banshee".
14259 You are right. The message tells you which Connection Pluto is
14260 currently using, which need not be the right one. It need not be the
14261 right one now for the negotiation to eventually succeed! This is
14262 described in ipsec_pluto(8) in the section "Road Warrior Support".
14264 There are two times when Pluto will consider switching Connections for
14265 a state object. Both are in response to receiving ID payloads (one in
14266 Phase 1 / Main Mode and one in Phase 2 / Quick Mode). The second is
14267 not unique to Road Warriors. In fact, neither is the first any more
14268 (two connections for the same pair of hosts could differ in Phase 1 ID
14269 payload; probably nobody else has tried this).
14271 <H3><A name="cantorient">Pluto: ... can't orient connection</A></H3>
14272 Each Pluto needs to know whether it is running on the machine which
14273 the connection description calls <VAR>left</VAR> or on <VAR>right</VAR>
14274 . It figures that out by:
14276 <LI>looking at the interfaces given in <VAR>interfaces=</VAR> lines in
14277 the <VAR>config setup</VAR> section </LI>
14278 <LI>discovering the IP addresses for those interfaces </LI>
14279 <LI>searching for a match between those addresses and the ones given
14280 in <VAR>left=</VAR> or <VAR>right=</VAR> lines. </LI>
14282 <P> Normally a match is found. Then Pluto knows where it is and can set
14283 up other things (for example, if it is <VAR>left</VAR>) using
14284 parameters such as <VAR>leftsubnet</VAR> and <VAR>leftnexthop</VAR>,
14285 and sending its outgoing packets to <VAR>right</VAR>. </P>
14286 <P> If no match is found, it emits the above error message. </P>
14287 <H3><A name="noconn">Pluto: ... no connection is known</A></H3>
14288 This error message occurs when a remote system attempts to negotiate a
14289 connection and Pluto does not have a connection description that
14290 matches what the remote system has requested. The most common cause is
14291 a configuration error on one end or the other.
14292 <P> Parameters involved in this match are <VAR>left</VAR>, <VAR>right</VAR>
14293 , <VAR>leftsubnet</VAR> and <VAR>rightsubnet</VAR>. </P>
14294 <P><STRONG> The match must be exact</STRONG>. For example, if your left
14295 subnet is a.b.c.0/24 then neither a single machine in that net nor a
14296 smaller subnet such as a.b.c.64/26 will be considered a match. </P>
14297 <P> The message can also occur when an appropriate description exists
14298 but Pluto has not loaded it. Use an <VAR>auto=add</VAR> statement in
14299 the connection description, or an <VAR>ipsec auto --add <conn_name></VAR>
14300 command, to correct this. </P>
14301 <P> An explanation from the Pluto developer: </P>
14303 | Jul 12 15:00:22 sohar58 Pluto[574]: "corp_road" #2: cannot respond to IPsec
14304 | SA request because no connection is known for
14305 | 216.112.83.112/32===216.112.83.112...216.67.25.118
14307 This is the first message from the Pluto log showing a problem. It
14308 means that PGPnet is trying to negotiate a set of SAs with this
14311 216.112.83.112/32===216.112.83.112...216.67.25.118
14312 ^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^ ^^^^^^^^^^^^^
14313 client on our side our host PGPnet host, no client
14315 None of the conns you showed look like this.
14318 ipsec auto --status
14319 to see a snapshot of what connections are in pluto, what
14320 negotiations are going on, and what SAs are established.
14322 The leftsubnet= (client) in your conn is 216.112.83.64/26. It must
14323 exactly match what pluto is looking for, and it does not.
14325 <H3><A name="nosuit">Pluto: ... no suitable connection ...</A></H3>
14326 This is similar to the <A href="#noconn">no connection known</A>
14327 error, but occurs at a different point in Pluto processing.
14328 <P> Here is one of Claudia's messages explaining the problem: </P>
14332 > What could be the reason of the following error?
14333 > "no suitable connection for peer '@xforce'"
14335 When a connection is initiated by the peer, Pluto must choose which entry in
14336 the conf file best matches the incoming connection. A preliminary choice is
14337 made on the basis of source and destination IPs, since that information is
14338 available at that time.
14340 A payload containing an ID arrives later in the negotiation. Based on this
14341 id and the *id= parameters, Pluto refines its conn selection. ...
14343 The message "no suitable connection" indicates that in this refining step,
14344 Pluto does not find a connection that matches that ID.
14346 Please see "Selecting a connection when responding" in man ipsec_pluto for
14349 <P> See also <A href="#conn_name">Connection names in Pluto error
14351 <H3><A name="noconn.auth">Pluto: ... no connection has been authorized</A>
14353 Here is one of Claudia's messages discussing this problem:
14357 > May 22 10:46:31 debian Pluto[25834]: packet from x.y.z.p:10014:
14358 > initial Main Mode message from x.y.z.p:10014
14359 but no connection has been authorized
14361 This error occurs early in the connection negotiation process,
14362 at the first step of IKE negotiation (Main Mode), which is itself the
14363 first of two negotiation phases involved in creating an IPSec connection.
14365 Here, Linux FreeS/WAN receives a packet from a potential peer, which
14366 requests that they begin discussing a connection.
14368 The "no connection has been authorized" means that there is no connection
14369 description in Linux FreeS/WAN's internal database that can be used to
14370 link your ipsec interface with that peer.
14372 "But of course I configured that connection!"
14374 It may be that the appropriate connection description exists in ipsec.conf
14375 but has not been added to the database with ipsec auto --add myconn or the
14376 auto=add method. Or, the connection description may be misconfigured.
14378 The only parameters that are relevant in this decision are left= and right= .
14379 Local and remote ports are also taken into account -- we see that the port
14380 is printed in the message above -- but there is no way to control these
14384 Failure at "no connection has been authorized" is similar to the
14385 "no connection is known for..." error in the FAQ, and the "no suitable
14386 connection" error described in the snapshot's FAQ. In all three cases,
14387 Linux FreeS/WAN is trying to match parameters received in the
14388 negotiation with the connection description in the local config file.
14390 As it receives more information, its matches take more parameters into
14391 account, and become more precise: first the pair of potential peers,
14392 then the peer IDs, then the endpoints (including any subnets).
14394 The "no suitable connection for peer *" occurs toward the end of IKE
14395 (Main Mode) negotiation, when the IDs are matched.
14397 "no connection is known for a/b===c...d" is seen at the beginning of IPSec
14398 (Quick Mode, phase 2) negotiation, when the connections are matched using
14399 left, right, and any information about the subnets.
14401 <H3><A name="noDESsupport">Pluto: ... OAKLEY_DES_CBC is not supported.</A>
14403 This message occurs when the other system attempts to negotiate a
14404 connection using single DES, which we do not support because it is <A href="#desnotsecure">
14406 <P> Our interoperation document has suggestions for <A href="#noDES">
14407 how to deal with</A> systems that attempt to use single DES. </P>
14408 <H3><A name="notransform"> Pluto: ... no acceptable transform</A></H3>
14409 This message means that the other gateway has made a proposal for
14410 connection parameters, but nothing they proposed is acceptable to
14411 Pluto. Possible causes include:
14413 <LI>misconfiguration on either end </LI>
14414 <LI>policy incompatibilities, for example we require encrypted
14415 connections but they are trying to create one with just authentication </LI>
14416 <LI>interoperation problems, for example they offer only single DES and
14417 FreeS/WAN does not support that. (see <A href="#noDES">below</A> for
14418 DES problems) </LI>
14420 A more detailed explanation, from Pluto programmer Hugh Redelmeier:
14424 When one IKE system (for example, Pluto) is negotiating with another
14425 to create an SA, the Initiator proposes a bunch of choices and the
14426 Responder replies with one that it has selected.
14428 The structure of the choices is fairly complicated. An SA payload
14429 contains a list of lists of "Proposals". The outer list is a set of
14430 choices: the selection must be from one element of this list.
14432 Each of these elements is a list of Proposals. A selection must be
14433 made from each of the elements of the inner list. In other words,
14434 *all* of them apply (that is how, for example, both AH and ESP can
14437 Within each of these Proposals is a list of Transforms. For each
14438 Proposal selected, one Transform must be selected (in other words,
14439 each Proposal provides a choice of Transforms).
14441 Each Transform is made up of a list of Attributes describing, well,
14442 attributes. Such as lifetime of the SA. Such as algorithm to be
14443 used. All the Attributes apply to a Transform.
14445 You will have noticed a pattern here: layers alternate between being
14446 disjunctions ("or") and conjunctions ("and").
14448 For Phase 1 / Main Mode (negotiating an ISAKMP SA), this structure is
14449 cut back. There must be exactly one Proposal. So this degenerates to
14450 a list of Transforms, one of which must be chosen.
14452 In your case, no proposal was considered acceptable to Pluto (the
14453 Responder). So negotiation ceased. Pluto logs the reason it rejects
14454 each Transform. So look back in the log to see what is going wrong.
14456 <H3><A name="econnrefused">ECONNREFUSED error message</A></H3>
14457 <P> From John Denker, on the mailing list:</P>
14460 some IKE message we sent has been rejected with
14461 ECONNREFUSED (kernel supplied no details)
14462 is much more suitable than the previous version. Thanks.
14464 2) Minor suggestion for further improvement: it might be worth mentioning
14466 tcpdump -i eth1 icmp[0] != 8 and icmp[0] != 0
14467 is useful for tracking down the details in question. We shouldn't expect
14468 all IPsec users to figure that out on their own. The log message might
14469 even provide a hint as to where to look in the docs.
14471 <P> Reply From Pluto developer Hugh Redelmeier</P>
14475 I've added a bit pluto(8)'s BUGS section along these lines.
14476 I didn't have the heart to lengthen this message.
14478 <LI><A name="no_eroute">klips_debug: ... no eroute!</A> This message
14479 means <A href="#KLIPS">KLIPS</A> has received a packet for which no
14480 IPSEC tunnel has been defined. </LI>
14481 <P> Here is a more detailed duscussion from the team's tech support
14482 person Claudia Schmeing, responding to a query on the mailing list: </P>
14484 > Why ipsec reports no eroute! ???? IP Masq... is disabled.
14485 In general, more information is required so that people on the list may
14486 give you informed input. See doc/prob.report.
14488 However, I can make some general comments on this type of error.
14490 This error usually looks something like this (clipped from an archived
14493 > ttl:64 proto:1 chk:45459 saddr:192.168.1.2 daddr:192.168.100.1
14494 > ... klips_debug:ipsec_findroute: 192.168.1.2->192.168.100.1
14495 > ... klips_debug:rj_match: * See if we match exactly as a host destination
14496 > ... klips_debug:rj_match: ** try to match a leaf, t=0xc1a260b0
14497 > ... klips_debug:rj_match: *** start searching up the tree, t=0xc1a260b0
14498 > ... klips_debug:rj_match: **** t=0xc1a260c8
14499 > ... klips_debug:rj_match: **** t=0xc1fe5960
14500 > ... klips_debug:rj_match: ***** not found.
14501 > ... klips_debug:ipsec_tunnel_start_xmit: Original head/tailroom: 2, 28
14502 > ... klips_debug:ipsec_tunnel_start_xmit: no eroute!: ts=47.3030, dropping.
14505 What does this mean?
14506 - --------------------
14508 "eroute" stands for "extended route", and is a special type of route
14509 internal to Linux FreeS/WAN. For more information about this type of route,
14510 see the section of man ipsec_auto on ipsec auto --route.
14512 "no eroute!" here means, roughly, that Linux FreeS/WAN cannot find an
14513 appropriate tunnel that should have delivered this packet. Linux
14514 FreeS/WAN therefore drops the packet, with the message "no eroute! ...
14515 dropping", on the assumption that this packet is not a legitimate
14516 transmission through a properly constructed tunnel.
14519 How does this situation come about?
14520 - -----------------------------------
14522 Linux FreeS/WAN has a number of connection descriptions defined in
14523 ipsec.conf. These must be successfully brought "up" to form actual tunnels.
14524 (see doc/setup.html's step 15, man ipsec.conf and man ipsec_auto
14527 Such connections are often specific to the endpoints' IPs. However, in
14528 some cases they may be more general, for example in the case of
14529 Road Warriors where left or right is the special value %any.
14531 When Linux FreeS/WAN receives a packet, it verifies that the packet has
14532 come through a legitimate channel, by checking that there is an
14533 appropriate tunnel through which this packet might legitimately have
14534 arrived. This is the process we see above.
14536 First, it checks for an eroute that exactly matches the packet. In the
14537 example above, we see it checking for a route that begins at 192.168.1.2
14538 and ends at 192.168.100.1. This search favours the most specific match that
14539 would apply to the route between these IPs. So, if there is a connection
14540 description exactly matching these IPs, the search will end there. If not,
14541 the code will search for a more general description matching the IPs.
14542 If there is no match, either specific or general, the packet will be
14543 dropped, as we see, above.
14545 Unless you are working with Road Warriors, only the first, specific part
14546 of the matching process is likely to be relevant to you.
14549 "But I defined the tunnel, and it came up, why do I have this error?"
14550 - ---------------------------------------------------------------------
14552 One of the most common causes of this error is failure to specify enough
14553 connection descriptions to cover all needed tunnels between any two
14554 gateways and their respective subnets. As you have noticed, troubleshooting
14555 this error may be complicated by the use of IP Masq. However, this error is
14556 not limited to cases where IP Masq is used.
14558 See doc/configuration.html#multitunnel for a detailed example of the
14559 solution to this type of problem.
14561 <H3><A name="SAused">... trouble writing to /dev/ipsec ... SA already
14563 From the mailing list:
14565 > When I activate one manual tunnels it works, but when I try to activate
14566 > another tunnel, it gives an error message...
14567 > tunnel_2: Had trouble writing to /dev/ipsec SA:tun0x200@202.103.5.63 --
14568 > SA already in use. Delete old one first.
14570 Please read the Using manual keying in production discussion in
14571 config.html, specifically the part about needing a different spi
14572 (or spibase) setting for each connection.
14574 This problem is also discussed in this FAQ under the heading <A href="#spi_error">
14575 One manual connection works, but second one fails</A>.
14576 <H3><A name="ignore">... ignoring ... payload</A></H3>
14577 This message is harmless. The IKE protocol provides for a number of
14578 optional messages types:
14580 <LI>delete SA </LI>
14581 <LI>initial contact </LI>
14582 <LI>vendor ID </LI>
14585 An implementation is never required to send these, but they are
14586 allowed to. The receiver is not required to do anything with them.
14587 FreeS/WAN ignores them, but notifies you via the logs.
14588 <P> For the "ignoring delete SA Payload" message, see also the
14589 discussion below of cleaning up <A href="#deadtunnel">dead tunnels</A>. </P>
14590 <H2><A name="canI">Can I ...</A></H2>
14591 <H3><A name="reload">Can I reload connection info without restarting?</A>
14593 Yes, you can do this. Here are the details, in a mailing list message
14594 from Pluto programmer Hugh Redelmeier:
14596 | How can I reload config's without restarting all of pluto and klips? I am using
14597 | FreeSWAN -> PGPNet in a medium sized production environment, and would like to be
14598 | able to add new connections ( i am using include config/* ) without dropping current
14601 | Can this be done?
14603 | If not, are there plans to add this kind of feature?
14605 ipsec auto --add whatever
14606 This will look in the usual place (/etc/ipsec.conf) for a conn named
14607 whatever and add it.
14609 If you added new secrets, you need to do
14610 ipsec auto --rereadsecrets
14611 before Pluto needs to know those secrets.
14613 | I have looked (perhaps not thoroughly enough tho) to see how to do this:
14615 There may be more bits to look for, depending on what you are trying
14618 <P> Another useful command here is <NOBR><VAR>ipsec auto --replace
14619 <conn_name></VAR></NOBR> which re-reads data for a named connection. </P>
14620 <H3><A name="masq.faq">Can I use several masqueraded subnets?</A></H3>
14621 Yes. This is done all the time. See the discussion in our <A href="#route_or_not">
14622 setup</A> document. The only restriction is that the subnets on the two
14623 ends must not overlap. See the next question.
14624 <P> Here is a mailing list message on the topic. The user incorrectly
14625 thinks you need a 2.4 kernel for this -- actually various people have
14626 been doing it on 2.0 and 2.2 for quite some time -- but he has it right
14629 Subject: Double NAT and freeswan working :)
14630 Date: Sun, 11 Mar 2001
14631 From: Paul Wouters <paul@xtdnet.nl>
14633 Just to share my pleasure, and make an entry for people who are searching
14634 the net on how to do this. Here's the very simple solution to have a double
14635 NAT'ed network working with freeswan. (Not sure if this is old news, but I'm
14636 not on the list (too much spam) and I didn't read this in any HOWTO/FAQ/doc
14637 on the freeswan site yet (Sandy, put it in! :)
14639 10.0.0.0/24 --- 10.0.0.1 a.b.c.d ---- a.b.c.e {internet} ----+
14641 10.0.1.0/24 --- 10.0.1.1 f.g.h.i ---- f.g.h.j {internet} ----+
14643 the goal is to have the first network do a VPN to the second one, yet also
14644 have NAT in place for connections not destinated for the other side of the
14645 NAT. Here the two Linux security gateways have one real IP number (cable
14646 modem, dialup, whatever.
14648 The problem with NAT is you don't want packets from 10.*.*.* to 10.*.*.*
14649 to be NAT'ed. While with Linux 2.2, you can't, with Linux 2.4 you can.
14651 (This has been tested and works for 2.4.2 with Freeswan snapshot2001mar8b)
14653 relevant parts of /etc/ipsec.conf:
14656 leftsubnet=10.0.1.0/24
14657 leftnexthop=f.g.h.j
14659 leftid=@firewall.netone.nl
14660 leftrsasigkey=0x0........
14662 rightsubnet=10.0.0.0/24
14663 rightnexthop=a.b.c.e
14665 rightid=@firewall.nettwo.nl
14666 rightrsasigkey=0x0......
14667 # To authorize this connection, but not actually start it, at startup,
14671 and now the real trick. Setup the NAT correctly on both sites:
14674 iptables -t nat -A POSTROUTING -o eth0 -d \! 10.0.0.0/8 -j MASQUERADE
14676 This tells the NAT code to only do NAT for packets with destination other then
14677 10.* networks. note the backslash to mask the exclamation mark to protect it
14684 <H3><A name="dup_route">Can I use subnets masqueraded to the same
14685 addresses?</A></H3>
14686 <STRONG> No.</STRONG> The notion that IP addresses are unique is one of
14687 the fundamental principles of the IP protocol. Messing with it is
14688 exceedingly perilous.
14689 <P> Fairly often a situation comes up where a company has several
14690 branches, all using the same <A href="#non-routable">non-routable
14691 addresses</A>, perhaps 192.168.0.0/24. This works fine as long as those
14692 nets are kept distinct. The <A href="#masq">IP masquerading</A> on
14693 their firewalls ensures that packets reaching the Internet carry the
14694 firewall address, not the private address. </P>
14695 <P> This can break down when IPSEC enters the picture. FreeS/WAN builds
14696 a tunnel that pokes through both masquerades and delivers packets from <VAR>
14697 leftsubnet</VAR> to <VAR>rightsubnet</VAR> and vice versa. For this to
14698 work, the two subnets <EM>must</EM> be distinct. </P>
14699 <P> There are several solutions to this problem. </P>
14701 <LI>Usually, you <STRONG>re-number the subnets</STRONG>. Perhaps the
14702 Vancouver office becomes 192.168.101.0/24, Calgary 192.168.102.0/24 and
14703 so on. FreeS/WAN can happily handle this. With, for example <VAR>
14704 leftsubnet=192.168.101.0/24</VAR> and <VAR>rightsubnet=192.168.102.0/24</VAR>
14705 in a connection description, any machine in Calgary can talk to any
14706 machine in Vancouver. If you want to be more restrictive and use
14707 something like <VAR>leftsubnet=192.168.101.128/25</VAR> and <VAR>
14708 rightsubnet=192.168.102.240/28</VAR> so only certain machines on each
14709 end have access to the tunnel, that's fine too. </LI>
14710 <LI>You could also <STRONG>split the subnet</STRONG> into smaller ones,
14711 for example using <VAR>192.168.1.0/25</VAR> in Vancouver and <VAR>
14712 rightsubnet=192.168.0.128/25</VAR> in Calgary. </LI>
14713 <LI>Alternately, you can just <STRONG>give up routing</STRONG> directly
14714 to machines on the subnets. Omit the <VAR>leftsubnet</VAR> and <VAR>
14715 rightsubnet</VAR> parameters from your connection descriptions. Your
14716 IPSEC tunnels will then run between the public interfaces of the two
14717 firewalls. Packets will be masqueraded both before they are put into
14718 tunnels and after they emerge. Your Vancouver client machines will see
14719 only one Calgary machine, the firewall. </LI>
14721 <H3><A name="road.masq">Can I assign a road warrior an address on my
14723 Yes, but it is tricky. This has been discussed on the mailing list.
14724 The discussion was not entirely clear to me, so I cannot yet document
14725 the procedures. At this point, all I know is:
14727 <LI>You can use a variant of the <A href="#extruded">extruded subnet</A>
14729 <LI>You have to avoid having the road warrior's assigned address within
14730 the range you actually use at home base. See previous question. </LI>
14731 <LI>On the other hand, you want the roadwarrior's address to be within
14732 the range that <EM>seems</EM> to be on your network. </LI>
14734 <P> For example, you might have: </P>
14736 <DT>leftsubnet=a.b.c.0/25</DT>
14737 <DD>head office network</DD>
14738 <DT>rightsubnet=a.b.c.240/32</DT>
14739 <DD>extruded to a road warrior</DD>
14740 <DT>a.b.c.0/24</DT>
14741 <DD>whole network, including both the above</DD>
14743 <H3><A name="QoS">Can I use Quality of Service routing with FreeS/WAN?</A>
14745 From project technical lead Henry Spencer:
14747 > Do QoS add to FreeS/WAN?
14748 >For example integrating DiffServ and FreeS/WAN?
14750 With a current version of FreeS/WAN, you will have to add hidetos=no to
14751 the config-setup section of your configuration file. By default, the TOS
14752 field of tunnel packets is zeroed; with hidetos=no, it is copied from the
14753 packet inside. (This is a modest security hole, which is why it is no
14754 longer the default.)
14756 DiffServ does not interact well with tunneling in general. Ways of
14757 improving this are being studied.
14759 <P> Copying the TOS information from the encapsulated packet to the
14760 outer header reveals the TOS information to an eavesdropper. It is not
14761 clear whether or how an attacker could use this information, but since
14762 we do not have to give it to him, our default is not to. </P>
14763 <P> See <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A> for
14764 more on the <VAR>hidetos=</VAR> parameter. </P>
14765 <H3><A name="deadtunnel">Can I recognise dead tunnels and shut them
14767 There is no general mechanism to do this is in the IPSEC protocols.
14768 <P> From time to time, there is discussion on the IETF Working Group <A href="#IETF">
14769 mailing list</A> of adding a "keep-alive" mechanism (which some say
14770 should be called "make-dead"), but it is a fairly complex problem and
14771 no consensus has been reached on whether or how it should be done. </P>
14772 <P> The protocol does have optional <A href="#ignore">delete-SA</A>
14773 messages which one side can send when it closes a connection in hopes
14774 this will cause the other side to do the same. FreeS/WAN does not
14775 currently support these. In any case, they would not solve the problem
14778 <LI>a gateway that crashes or hangs would not send the messages </LI>
14779 <LI>the sender is not required to send them </LI>
14780 <LI>they are not authenticated, so any receiver that trusts them leaves
14781 itself open to a <A href="#DoS">denial of service</A> attack </LI>
14782 <LI>the receiver is not required to do anything about them </LI>
14783 <LI>the receiver cannot acknowledge them; the protocol provides no
14784 mechanism for that </LI>
14785 <LI>since they are not acknowledged, the sender cannot rely on them </LI>
14787 <P> However, connections do have limited lifetimes and you can control
14788 how many attempts your gateway makes to rekey before giving up. For
14789 example, you can set: </P>
14795 With these settings old connections will be cleaned up. Within 30
14796 minutes of the other end dying, rekeying will be attempted. If it
14797 succeeds, the new connection replaces the old one. If it fails, no new
14798 connection is created. Either way, the old connection is taken down
14799 when its lifetime expires.
14800 <P> Here is a mailing list message on the topic from FreeS/WAN tech
14801 support person Claudia Schmeing: </P>
14803 You ask how to determine whether a tunnel is redundant:
14805 > Can anybody explain the best way to determine this. Esp when a RW has
14806 > disconnected? I thought 'ipsec auto --status' might be one way.
14808 If a tunnel goes down from one end, Linux FreeS/WAN on the
14809 other end has no way of knowing this until it attempts to rekey.
14810 Once it tries to rekey and fails, it will 'know' that the tunnel is
14813 Because it doesn't have a way of knowing the state until this point,
14814 it will also not be able to tell you the state via ipsec auto --status.
14816 > However, comparing output from a working tunnel with that of one that
14818 > did not show clearly show tunnel status.
14820 If your tunnel is down but not 'unrouted' (see man ipsec_auto), you
14821 should not be able to ping the opposite side of the tunnel. You can
14822 use this as an indicator of tunnel status.
14824 On a related note, you may be interested to know that as of 1.7,
14825 redundant tunnels caused by RW disconnections are likely to be
14826 less of a pain. From doc/CHANGES:
14828 There is a new configuration parameter, uniqueids, to control a new Pluto
14829 option: when a new connection is negotiated with the same ID as an old
14830 one, the old one is deleted immediately. This should help eliminate
14831 dangling Road Warrior connections when the same Road Warrior reconnects.
14832 It thus requires that IDs not be shared by hosts (a previously legal but
14833 probably useless capability). NOTE WELL: the sample ipsec.conf now has
14834 uniqueids=yes in its config-setup section.
14841 <H3><A name="demanddial">Can I build IPSEC tunnels over a demand-dialed
14843 This is possible, but not easy. FreeS/WAN technical lead Henry Spencer
14846 > 5. If the ISDN link goes down in between and is reestablished, the SAs
14847 > are still up but the eroute are deleted and the IPSEC interface shows
14848 > garbage (with ifconfig)
14849 > 6. Only restarting IPSEC will bring the VPN back online.
14851 This one is awkward to solve. If the real interface that the IPsec
14852 interface is mounted on goes down, it takes most of the IPsec machinery
14853 down with it, and a restart is the only good way to recover.
14855 The only really clean fix, right now, is to split the machines in two:
14857 1. A minimal machine serves as the network router, and only it is aware
14858 that the link goes up and down.
14860 2. The IPsec is done on a separate gateway machine, which thinks it has
14861 a permanent network connection, via the router.
14863 This is clumsy but it does work. Trying to do both functions within a
14864 single machine is tricky. There is a software package (diald) which will
14865 give the illusion of a permanent connection for demand-dialed modem
14866 connections; I don't know whether it's usable for ISDN, or whether it can
14867 be made to cooperate properly with FreeS/WAN.
14869 Doing a restart each time the interface comes up *does* work, although it
14870 is a bit painful. I did that with PPP when I was running on a modem link;
14871 it wasn't hard to arrange the PPP scripts to bring IPsec up and down at
14872 the right times. (I'd meant to investigate diald but never found time.)
14874 In principle you don't need to do a complete restart on reconnect, but you
14875 do have to rebuild some things, and we have no nice clean way of doing
14876 only the necessary parts.
14878 In the same thread, one user commented:
14880 Subject: Re: linux-ipsec: IPSEC and Dial Up Connections
14881 Date: Wed, 22 Nov 2000
14882 From: Andy Bradford <andyb@calderasystems.com>
14884 On Wed, 22 Nov 2000 19:47:11 +0100, Philip Reetz wrote:
14886 > Are there any ideas what might be the cause of the problem and any way
14887 > to work around it.
14888 > Any help is highly appreciated.
14890 On my laptop, when using ppp there is a ip-up script in /etc/ppp that
14891 will be executed each time that the ppp interface is brought up.
14892 Likewise there is an ip-down script that is called when it is taken
14893 down. You might consider custimzing those to stop and start FreeS/Wan
14894 with each connection. I believe that ISDN uses the same files, though
14895 I could be wrong---there should be something similar though.
14897 <H3><A name="GRE">Can I build GRE tunnels over IPSEC?</A></H3>
14898 This is possible in theory, but we are short on practical details. If
14899 you do this, please let us know via the <A href="mail.html">mailing
14901 <P> Theere is a <A href="http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00209.html">
14902 list message</A> with links to relevant resources. </P>
14903 <H3><A name="PKIcert"> Does FreeS/WAN support X.509 or other PKI
14904 certificates?</A></H3>
14905 FreeS/WAN, as distributed, does not currently support use of <A href="#X509">
14906 X.509</A> or other <A href="#PKI">PKI</A> certificates for
14907 authentication of gateways. We are concentrating on moving toward
14908 authentication via <A href="#SDNS">Secure DNS</A> and <A href="#carpediem">
14909 opportunistic encryption</A>; X.509 support is not (or at least not
14910 yet) on the priority list.
14911 <P> On the other hand, it is a priority for some users and
14912 user-contributed patches are available to add X.509 certificate support
14913 to FreeS/WAN now. See the <A href="#patch"> patches</A> section of our
14914 web references document for details. </P>
14915 <H3><A name="Radius">Does FreeS/WAN support Radius or other user
14916 authentication?</A></H3>
14917 Not yet. So far, there is no standard way to authenticate users for
14918 IPSEC, though there is a very active IETF <A href="http://www.ietf.org/html.charters/ipsra-charter.html">
14919 working group</A> looking at the problem, and several vendors have
14920 implemented various things already.
14921 <P> In the absence of a standard, user authentication has not been a
14922 priority for the FreeS/WAN team, and is unlikely to become one. This
14923 would be a good project for a volunteer, perhaps a staff member or
14924 contractor at some company that needs the feature. Certainly our team
14925 would co-operate with such an effort; we just don't have time to do it. </P>
14926 <P> Of course, there are various ways to avoid any requirement for user
14927 authentication in IPSEC. Consider the situation where road warriors
14928 build IPSEC tunnels to your office net and you are considering
14929 requiring user authentication during tunnel negotiation. Alternatives
14932 <LI>If you can trust the road warrior machines, then set them up so
14933 that only authorised users can create tunnels. If your road warriors
14934 use laptops, consider the possibility of theft. </LI>
14935 <LI>If the tunnel only provides access to particular servers and you
14936 can trust those servers, then set the servers up to require user
14937 authentication. </LI>
14939 If either of those is trustworthy, it is not clear that you need user
14940 authentication in IPSEC.
14941 <H3><A name="noDES.faq">Does FreeS/WAN support single DES encryption?</A>
14943 No, single DES is not used either at the <A href="#IKE">IKE</A> level
14944 for negotiating connections or at the <A href="#IPSEC">IPSEC</A> level
14945 for actually building them.
14946 <P> Single DES is <A href="#desnotsecure">insecure</A>. As we see it,
14947 it is more important to deliver real security than to comply with a
14948 standard which has been subverted into allowing use of inadequate
14949 methods. See this <A href="#weak">discussion</A>. </P>
14950 <P> If you want to interoperate with an IPSEC implementation which
14951 offers only DES, see our <A href="#noDES">interoperation</A> document. </P>
14952 <H2><A name="spam">Why don't you restrict the mailing lists to reduce
14954 <P> As a matter of policy, some of our <A href="mail.html">mailing lists</A>
14955 need to be open to non-subscribers. Project management feel strongly
14956 that maintaining this openness is more important than blocking spam. </P>
14958 <LI>Users should be able to get help or report bugs without
14960 <LI>Even a user who is subscribed may not have access to his or her
14961 subscribed account when he or she needs help, miles from home base in
14962 the middle of setting up a client's gateway. </LI>
14963 <LI>There is arguably a legal requirement for this policy. A US
14964 resident or citizen could be charged under munitions export laws for
14965 providing technical assistance to a foreign cryptographic project. Such
14966 a charge would be more easily defended if the discussion takes place in
14967 public, on an open list. </LI>
14969 <P> This has been discussed several times at some length on the list.
14970 See the <A href="#archive">list archives</A>. Bringing the topic up
14971 again is unlikely to be useful. Please don't. Or at the very least,
14972 please don't without reading the archives and being certain that
14973 whatever you are about to suggest has not yet been discussed. </P>
14974 <P> Project technical lead Henry Spencer summarised one discussion: <BLOCKQUOTE>
14975 For the third and last time: this list *will* *not* do address-based
14976 filtering. This is a policy decision, not an implementation problem.
14977 The decision is final, and is not open to discussion. This needs to be
14978 communicated better to people, and steps are being taken to do that. </BLOCKQUOTE>
14979 Adding this FAQ section is one of the steps he refers to. </P>
14980 <P> You have various options other than just putting up with the spam,
14981 filtering it yourself, or unsubscribing: </P>
14983 <LI>subscribe only to one or both of our lists with restricted posting
14986 <LI><A href="mailto:briefs@lists.freeswan.org?body=subscribe">briefs</A>
14987 , weekly list summaries </LI>
14988 <LI><A href="mailto:announce@lists.freeswan.org?body=subscribe">announce</A>
14989 , project-related announcements </LI>
14992 <LI>read the other lists via the <A href="#archive">archives</A></LI>
14994 <P> A number of tools are available to filter mail. </P>
14996 <LI>Many mail readers include some filtering capability. </LI>
14997 <LI>Many Linux distributions include <A href="http://www.procmail.org/">
14998 procmail(8)</A> for server-side filtering. </LI>
14999 <LI>The <A href="http://www.spambouncer.org/">Spam Bouncer</A> is a set
15000 of procmail(8) filters designed to combat spam. </LI>
15001 <LI>Roaring Penguin have a <A href="http://www.roaringpenguin.com/mimedefang/">
15002 MIME defanger</A> that removes potentially dangerous attachments. </LI>
15004 <P> If you use your ISP's mail server rather than running your own,
15005 consider suggesting to the ISP that they tag suspected spam as <A href="http://www.msen.com/1997/spam.html#SUSPECTED">
15006 this ISP</A> does. They could just refuse mail from dubious sources,
15007 but that is tricky and runs some risk of losing valuable mail or
15008 senselessly annoying senders and their admins. However, they can safely
15009 tag and deliver dubious mail. The tags can greatly assist your
15011 <P> For information on tracking down spammers, see these <A href="http://www.rahul.net/falk/#howtos">
15012 HowTos</A>, or the <A href="http://www.sputum.com/index2.html">Sputum</A>
15013 site. Sputum have a Linux anti-spam screensaver available for
15015 <P> Here is a more detailed message from Henry: </P>
15017 On Mon, 15 Jan 2001, Jay Vaughan wrote:
15018 > I know I'm flogging a dead horse here, but I'm curious as to the reasons for
15019 > an aversion for a subscriber-only mailing list?
15021 Once again: for legal reasons, it is important that discussions of these
15022 things be held in a public place -- the list -- and we do not want to
15023 force people to subscribe to the list just to ask one question, because
15024 that may be more than merely inconvenient for them. There are also real
15025 difficulties with people who are temporarily forced to use alternate
15026 addresses; that is precisely the time when they may be most in need of
15027 help, yet a subscribers-only policy shuts them out.
15029 These issues do not apply to most mailing lists, but for a list that is
15030 (necessarily) the primary user support route for a crypto package, they
15031 are very important. This is *not* an ordinary mailing list; it has to
15032 function under awkward constraints that make various simplistic solutions
15033 inapplicable or undesirable.
15035 > We're *ALL* sick of hearing about list management problems, not just you
15036 > old-timers, so why don't you DO SOMETHING EFFECTIVE ABOUT IT...
15038 Because it's a lot harder than it looks, and many existing "solutions"
15039 have problems when examined closely.
15041 > A suggestion for you, based on 10 years of experience with management of my
15042 > own mailing lists would be to use mailman, which includes pretty much every
15043 > feature under the sun that you guys need and want, plus some. The URL for
15046 I assure you, we're aware of mailman. Along with a whole bunch of others,
15047 including some you almost certainly have never heard of (I hadn't!).
15049 > As for the argument that the list shouldn't be configured to enforce
15050 > subscription - I contend that it *SHOULD* AT LEAST require manual address
15051 > verification in order for posts to be redirected.
15053 You do realize, I hope, that interposing such a manual step might cause
15054 your government to decide that this is not truly a public forum, and thus
15055 you could go to jail if you don't get approval from them before mailing to
15056 it? If you think this sounds irrational, your government is noted for
15057 making irrational decisions in this area; we can't assume that they will
15058 suddenly start being sensible. See above about awkward constraints. You
15059 may be willing to take the risk, but we can't, in good conscience, insist
15060 that all users with problems do so.
15063 henry@spsystems.net
15065 and a message on the topic from project leader John Gilmore:
15067 Subject: Re: The linux-ipsec list's topic
15068 Date: Sat, 30 Dec 2000
15069 From: John Gilmore <gnu@toad.com>
15071 I'll post this single message, once only, in this discussion, and then
15072 not burden the list with any further off-topic messages. I encourage
15073 everyone on the list to restrain themself from posting ANY off-topic
15074 messages to the linux-ipsec list.
15076 The topic of the linux-ipsec mailing list is the FreeS/WAN software.
15078 I frequently see "discussions about spam on a list" overwhelm the
15079 volume of "actual spam" on a list. BOTH kinds of messages are
15080 off-topic messages. Twenty anti-spam messages take just as long to
15081 detect and discard as twenty spam messages.
15083 The Linux-ipsec list encourages on-topic messages from people who have
15084 not joined the list itself. We will not censor messages to the list
15085 based on where they originate, or what return address they contain.
15086 In other words, non-subscribers ARE allowed to post, and this will not
15087 change. My own valid contributions have been rejected out-of-hand by
15088 too many other mailing lists for me to want to impose that censorship
15089 on anybody else's contributions. And every day I see the damage that
15090 anti-spam zeal is causing in many other ways; that zeal is far more
15091 damaging to the culture of the Internet than the nuisance of spam.
15093 In general, it is the responsibility of recipients to filter,
15094 prioritize, or otherwise manage the handling of email that comes to
15095 them. It is not the responsibility of the rest of the Internet
15096 community to refrain from sending messages to recipients that they
15097 might not want to see. If your software infrastructure for managing
15098 your incoming email is insufficient, then improve it. If you think
15099 the signal-to-noise ratio on linux-ipsec is too poor, then please
15100 unsubscribe. But don't further increase the noise by posting to the
15101 linux-ipsec list about those topics.
15104 founder sponsor, FreeS/WAN project
15107 <H1><A name="performance">Performance of FreeS/WAN</A></H1>
15108 The performance of FreeS/WAN is adequate for most applications.
15109 Perhaps because of that, there are few detailed measurements. Those we
15111 <P> The University of Wales at Aberystwyth has done quite detailed
15112 tests and put <A href="http://tsc.llwybr.org.uk/public/reports/SWANTIME/">
15113 their results</A> on the web.</P>
15114 <P><EM> Even a 486 can handle a T1 line</EM>, according to this mailing
15116 <PRE>Subject: Re: linux-ipsec: IPSec Masquerade
15117 Date: Fri, 15 Jan 1999 11:13:22 -0500
15118 From: Michael Richardson
15120 . . . A 486/66 has been clocked by Phil Karn to do
15121 10Mb/s encryption.. that uses all the CPU, so half that to get some CPU,
15122 and you have 5Mb/s. 1/3 that for 3DES and you get 1.6Mb/s....</PRE>
15123 <P>and a piece of mail from project technical lead Henry Spencer:</P>
15124 <PRE>Oh yes, and a new timing point for Sandy's docs... A P60 -- yes, a 60MHz
15125 Pentium, talk about antiques -- running a host-to-host tunnel to another
15126 machine shows an FTP throughput (that is, end-to-end results with a real
15127 protocol) of slightly over 5Mbit/s either way. (The other machine is much
15128 faster, the network is 100Mbps, and the ether cards are good ones... so
15129 the P60 is pretty definitely the bottleneck.)</PRE>
15130 <P> Here is some additional data from the mailing list. </P>
15132 Subject: FreeSWAN (specically KLIPS) performance measurements
15133 Date: Thu, 01 Feb 2001
15134 From: Nigel Metheringham <Nigel.Metheringham@intechnology.co.uk>
15137 I've spent a happy morning attempting performance tests against KLIPS
15138 (this is due to me not being able to work out the CPU usage of KLIPS so
15139 resorting to the crude measurements of maximum throughput to give a
15140 baseline to work out loading of a box).
15142 Measurements were done using a set of 4 boxes arranged in a line, each
15143 connected to the next by 100Mbit duplex ethernet. The inner 2 had an
15144 ipsec tunnel between them (shared secret, but I was doing measurements
15145 when the tunnel was up and running - keying should not be an issue
15146 here). The outer pair of boxes were traffic generators or traffic sink.
15148 The crypt boxes are Compaq DL380s - Uniprocessor PIII/733 with 256K
15149 cache. They have 128M main memory. Nothing significant was running on
15150 the boxes other than freeswan. The kernel was a 2.2.19pre7 patched
15151 with freeswan and ext3.
15153 Without an ipsec tunnel in the chain (ie the 2 inner boxes just being
15154 100BaseT routers), throughput (measured with ttcp) was between 10644
15157 With an ipsec tunnel in place, throughput was between 3268 and 3402
15160 These measurements are for data pushed across a TCP link, so the
15161 traffic on the wire between the 2 ipsec boxes would have been higher
15164 vmstat (run during some other tests, so not affecting those figures) on
15165 the encrypting box shows approx 50% system 50% idle CPU - which I
15166 don't believe at all. Interactive feel of the box was significantly
15169 I also tried running the kernel profiler (see man readprofile) during
15172 A box doing primarily decrypt work showed basically nothing happening -
15173 I assume interrupts were off.
15174 A box doing encrypt work showed the following:-
15175 Ticks Function Load
15176 ~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~
15178 532 des_encrypt2 0.1330
15179 110 MD5Transform 0.0443
15181 39 des_encrypt3 0.1336
15182 23 speedo_interrupt 0.0298
15183 14 skb_copy_expand 0.0250
15184 13 ipsec_tunnel_start_xmit 0.0009
15186 11 handle_IRQ_event 0.1019
15187 11 .des_ncbc_encrypt_end 0.0229
15188 10 speedo_start_xmit 0.0188
15191 8 ip_fragment 0.0121
15194 5 .des_encrypt2_end 5.0000
15196 4 ip_fw_check 0.0035
15198 2 ipfw_output_check 0.0200
15199 2 inet_addr_type 0.0156
15200 2 eth_copy_and_sum 0.0139
15203 1 speedo_tx_buffer_gc 0.0024
15204 1 speedo_refill_rx_buf 0.0022
15205 1 restore_all 0.0667
15208 1 neigh_connected_output 0.0076
15210 1 kmem_cache_free 0.0016
15211 1 kmem_cache_alloc 0.0022
15212 1 __kfree_skb 0.0060
15215 1 ip_options_fragment 0.0071
15216 1 ip_local_deliver 0.0023
15217 1 ipfw_forward_check 0.0139
15218 1 ip_forward 0.0011
15219 1 eth_header 0.0040
15220 1 .des_encrypt3_end 0.0833
15221 1 des_decrypt3 0.0034
15222 1 csum_partial_copy_generic 0.0045
15223 1 call_out_firewall 0.0125
15225 Hope this data is helpful to someone... however the lack of visibility
15226 into the decrypt side makes things less clear
15228 <H2><A name="methods">Methods of mesasuring</A></H2>
15229 If you want to measure the loads FreeS/WAN puts on a system, note that
15230 tools such as top or measurements such as load average are more-or-less
15231 useless for this. They are not designed to measure something that does
15232 most of its work inside the kernel.
15233 <P> Here is a message from FreeS/WAN kernel programmer Richard Guy
15234 Briggs on this: </P>
15236 > I have a batch of boxes doing Freeswan stuff.
15237 > I want to measure the CPU loading of the Freeswan tunnels, but am
15238 > having trouble seeing how I get some figures out...
15240 > - Keying etc is in userspace so will show up on the per-process
15241 > and load average etc (ie pluto's load)
15245 > - KLIPS is in the kernel space, and does not show up in load average
15246 > I think also that the KLIPS per-packet processing stuff is running
15247 > as part of an interrupt handler so it does not show up in the
15248 > /proc/stat system_cpu or even idle_cpu figures
15250 It is not running in interrupt handler. It is in the bottom half.
15251 This is somewhere between user context (careful, this is not
15252 userspace!) and hardware interrupt context.
15254 > Is this correct, and is there any means of instrumenting how much the
15255 > cpu is being loaded - I don't like the idea of a system running out of
15256 > steam whilst still showing 100% idle CPU :-)
15258 vmstat seems to do a fairly good job, but use a running tally to get a
15259 good idea. A one-off call to vmstat gives different numbers than a
15260 running stat. To do this, put an interval on your vmstat command
15263 and another suggestion from the same thread:
15265 Subject: Re: Measuring the CPU usage of Freeswan
15266 Date: Mon, 29 Jan 2001
15267 From: Patrick Michael Kane <modus@pr.es.to>
15269 The only truly accurate way to accurately track FreeSWAN CPU usage is to use
15270 a CPU soaker. You run it on an unloaded system as a benchmark, then start up
15271 FreeSWAN and take the difference to determine how much FreeSWAN is eating.
15272 I believe someone has done this in the past, so you may find something in
15273 the FreeSWAN archives. If not, someone recently posted a URL to a CPU
15274 soaker benchmark tool on linux-kernel.